From cae0d5a6f32e52e06c0841bb7142452062dc2ac8 Mon Sep 17 00:00:00 2001 From: Kishor PK Date: Thu, 30 Mar 2017 14:23:37 +0530 Subject: soc: qcom: pil: Avoid possible buffer overflow during Modem boot Buffer overflow can occur if MBA firmware size exceeds 1MB. So validate size before copying the firmware. CRs-Fixed: 2001803 Change-Id: I070ddf85fbc47df072e7258369272366262ebf46 Signed-off-by: Kishor PK --- drivers/soc/qcom/pil-msa.c | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/drivers/soc/qcom/pil-msa.c b/drivers/soc/qcom/pil-msa.c index 53bddc5..988b6e8 100644 --- a/drivers/soc/qcom/pil-msa.c +++ b/drivers/soc/qcom/pil-msa.c @@ -616,7 +616,15 @@ int pil_mss_reset_load_mba(struct pil_desc *pil) /* Load the MBA image into memory */ count = fw->size; - memcpy(mba_dp_virt, data, count); + if (count <= SZ_1M) { + /* Ensures memcpy is done for max 1MB fw size */ + memcpy(mba_dp_virt, data, count); + } else { + dev_err(pil->dev, "%s fw image loading into memory is failed due to fw size overflow\n", + __func__); + ret = -EINVAL; + goto err_mba_data; + } /* Ensure memcpy of the MBA memory is done before loading the DP */ wmb(); -- cgit v1.1