habanalabs: validate FW file size

[ Upstream commit bce382a8bb080ed5f2f3a06754526dc58b91cca2 ] We must validate FW size in order not to corrupt memory in case a malicious FW file will be present in system. Signed-off-by: Ofir Bitton <obitton@habana.ai> Signed-off-by: Oded Gabbay <oded.gabbay@gmail.com> Signed-off-by: Sasha Levin <sashal@kernel.org>
2020-08-11 09:19:53 +03:00 · 2020-08-11 09:19:53 +03:00 · c9436de020
commit c9436de020
parent dddd5003c7
1 changed files with 9 additions and 0 deletions
--- a/drivers/misc/habanalabs/firmware_if.c
+++ b/drivers/misc/habanalabs/firmware_if.c
@ -11,6 +11,7 @@
 #include <linux/genalloc.h>
 #include <linux/io-64-nonatomic-lo-hi.h>

+#define FW_FILE_MAX_SIZE	0x1400000 /* maximum size of 20MB */
 /**
 * hl_fw_push_fw_to_device() - Push FW code to device.
 * @hdev: pointer to hl_device structure.
@ -43,6 +44,14 @@ int hl_fw_push_fw_to_device(struct hl_device *hdev, const char *fw_name,

 	dev_dbg(hdev->dev, "%s firmware size == %zu\n", fw_name, fw_size);

+	if (fw_size > FW_FILE_MAX_SIZE) {
+		dev_err(hdev->dev,
+			"FW file size %zu exceeds maximum of %u bytes\n",
+			fw_size, FW_FILE_MAX_SIZE);
+		rc = -EINVAL;
+		goto out;
+	}
+
 	fw_data = (const u64 *) fw->data;

 	memcpy_toio(dst, fw_data, fw_size);