firmware: Sigma: Prevent out of bounds memory access

commit 4f718a29fe4908c2cea782f751e9805319684e2b upstream. The SigmaDSP firmware loader currently does not perform enough boundary size checks when processing the firmware. As a result it is possible that a malformed firmware can cause an out of bounds memory access. This patch adds checks which ensure that both the action header and the payload are completely inside the firmware data boundaries before processing them. Signed-off-by: Lars-Peter Clausen <lars@metafoo.de> Acked-by: Mike Frysinger <vapier@gentoo.org> Signed-off-by: Mark Brown <broonie@opensource.wolfsonmicro.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
author: Lars-Peter Clausen <lars@metafoo.de> 2011-11-28 09:44:14 +0100
committer: Greg Kroah-Hartman <gregkh@suse.de> 2011-12-09 08:54:34 -0800
commit: 3b958a46b7e81c432d7d6ef00ee4bd51ef2d39e2 (patch)
tree: 050abab832a895b66525e72d89003b057d40ecdb /include
parent: adc771853323bb695e50eab52299b82d675cd665 (diff)
1 files changed, 0 insertions, 5 deletions
diff --git a/include/linux/sigma.h b/include/linux/sigma.h
index e2accb3164d8..9a138c2946bb 100644
--- a/include/linux/sigma.h
+++ b/include/linux/sigma.h
@@ -50,11 +50,6 @@ static inline u32 sigma_action_len(struct sigma_action *sa)
 	return (sa->len_hi << 16) | sa->len;
 }
 
-static inline size_t sigma_action_size(struct sigma_action *sa, u32 payload_len)
-{
-	return sizeof(*sa) + payload_len + (payload_len % 2);
-}
-
 extern int process_sigma_firmware(struct i2c_client *client, const char *name);
 
 #endif
author	Lars-Peter Clausen <lars@metafoo.de>	2011-11-28 09:44:14 +0100
committer	Greg Kroah-Hartman <gregkh@suse.de>	2011-12-09 08:54:34 -0800
commit	3b958a46b7e81c432d7d6ef00ee4bd51ef2d39e2 (patch)
tree	050abab832a895b66525e72d89003b057d40ecdb /include
parent	adc771853323bb695e50eab52299b82d675cd665 (diff)