From: Richard Fitzgerald rf@opensource.cirrus.com
stable inclusion from stable-v6.6.41 commit 16d76857d6b5426f41b587d0bb925de3f25bfb21 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAGEMN CVE: CVE-2024-41056
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=...
--------------------------------
[ Upstream commit 680e126ec0400f6daecf0510c5bb97a55779ff03 ]
Use strnlen() instead of strlen() on the algorithm and coefficient name string arrays in V1 wmfw files.
In V1 wmfw files the name is a NUL-terminated string in a fixed-size array. cs_dsp should protect against overrunning the array if the NUL terminator is missing.
Signed-off-by: Richard Fitzgerald rf@opensource.cirrus.com Fixes: f6bc909e7673 ("firmware: cs_dsp: add driver to support firmware loading on Cirrus Logic DSPs") Link: https://patch.msgid.link/20240708144855.385332-1-rf@opensource.cirrus.com Signed-off-by: Mark Brown broonie@kernel.org Signed-off-by: Sasha Levin sashal@kernel.org Conflicts: drivers/firmware/cirrus/cs_dsp.c [Due to not merge commit 76ea8e13aaefd firmware: cs_dsp: Prevent buffer overrun when processing V2 alg headers] Signed-off-by: Jinjie Ruan ruanjinjie@huawei.com --- drivers/firmware/cirrus/cs_dsp.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/firmware/cirrus/cs_dsp.c b/drivers/firmware/cirrus/cs_dsp.c index 79d4254d1f9b..fe0fb7d635f0 100644 --- a/drivers/firmware/cirrus/cs_dsp.c +++ b/drivers/firmware/cirrus/cs_dsp.c @@ -1109,7 +1109,7 @@ static inline void cs_dsp_coeff_parse_alg(struct cs_dsp *dsp, const u8 **data,
blk->id = le32_to_cpu(raw->id); blk->name = raw->name; - blk->name_len = strlen(raw->name); + blk->name_len = strnlen(raw->name, ARRAY_SIZE(raw->name)); blk->ncoeff = le32_to_cpu(raw->ncoeff); break; default: @@ -1142,7 +1142,7 @@ static inline void cs_dsp_coeff_parse_coeff(struct cs_dsp *dsp, const u8 **data, blk->offset = le16_to_cpu(raw->hdr.offset); blk->mem_type = le16_to_cpu(raw->hdr.type); blk->name = raw->name; - blk->name_len = strlen(raw->name); + blk->name_len = strnlen(raw->name, ARRAY_SIZE(raw->name)); blk->ctl_type = le16_to_cpu(raw->ctl_type); blk->flags = le16_to_cpu(raw->flags); blk->len = le32_to_cpu(raw->len);