mirror of
https://github.com/Divested-Mobile/DivestOS-Build.git
synced 2024-10-01 01:35:54 -04:00
40 lines
1.2 KiB
Diff
40 lines
1.2 KiB
Diff
From cae0d5a6f32e52e06c0841bb7142452062dc2ac8 Mon Sep 17 00:00:00 2001
|
|
From: Kishor PK <kpbhat@codeaurora.org>
|
|
Date: Thu, 30 Mar 2017 14:23:37 +0530
|
|
Subject: soc: qcom: pil: Avoid possible buffer overflow during Modem boot
|
|
|
|
Buffer overflow can occur if MBA firmware size exceeds 1MB.
|
|
So validate size before copying the firmware.
|
|
|
|
CRs-Fixed: 2001803
|
|
Change-Id: I070ddf85fbc47df072e7258369272366262ebf46
|
|
Signed-off-by: Kishor PK <kpbhat@codeaurora.org>
|
|
---
|
|
drivers/soc/qcom/pil-msa.c | 10 +++++++++-
|
|
1 file changed, 9 insertions(+), 1 deletion(-)
|
|
|
|
diff --git a/drivers/soc/qcom/pil-msa.c b/drivers/soc/qcom/pil-msa.c
|
|
index 53bddc5..988b6e8 100644
|
|
--- a/drivers/soc/qcom/pil-msa.c
|
|
+++ b/drivers/soc/qcom/pil-msa.c
|
|
@@ -616,7 +616,15 @@ int pil_mss_reset_load_mba(struct pil_desc *pil)
|
|
|
|
/* Load the MBA image into memory */
|
|
count = fw->size;
|
|
- memcpy(mba_dp_virt, data, count);
|
|
+ if (count <= SZ_1M) {
|
|
+ /* Ensures memcpy is done for max 1MB fw size */
|
|
+ memcpy(mba_dp_virt, data, count);
|
|
+ } else {
|
|
+ dev_err(pil->dev, "%s fw image loading into memory is failed due to fw size overflow\n",
|
|
+ __func__);
|
|
+ ret = -EINVAL;
|
|
+ goto err_mba_data;
|
|
+ }
|
|
/* Ensure memcpy of the MBA memory is done before loading the DP */
|
|
wmb();
|
|
|
|
--
|
|
cgit v1.1
|
|
|