habanalabs: validate FW file size

We must validate FW size in order not to corrupt memory in case a malicious FW file will be present in system. Signed-off-by: Ofir Bitton <obitton@habana.ai> Signed-off-by: Oded Gabbay <oded.gabbay@gmail.com>

habanalabs: validate FW file size
We must validate FW size in order not to corrupt memory in case a malicious FW file will be present in system. Signed-off-by: Ofir Bitton <obitton@habana.ai> Signed-off-by: Oded Gabbay <oded.gabbay@gmail.com>
bce382a8 · Ofir Bitton · Oded Gabbay · 804d057c · bce382a8
Commit bce382a8 authored Aug 11, 2020 by Ofir Bitton Committed by Oded Gabbay Aug 22, 2020
Hide whitespace changes
Inline Side-by-side

Showing with 9 additions and 0 deletions

drivers/misc/habanalabs/common/firmware_if.c drivers/misc/habanalabs/common/firmware_if.c +9 -0

No files found.
--- a/drivers/misc/habanalabs/common/firmware_if.c
+++ b/drivers/misc/habanalabs/common/firmware_if.c
@@ -13,6 +13,7 @@
 #include <linux/io-64-nonatomic-lo-hi.h>
 #include <linux/slab.h>

+#define FW_FILE_MAX_SIZE	0x1400000 /* maximum size of 20MB */
 /**
 * hl_fw_load_fw_to_device() - Load F/W code to device's memory.
 *
@@ -48,6 +49,14 @@ int hl_fw_load_fw_to_device(struct hl_device *hdev, const char *fw_name,

 	dev_dbg(hdev->dev, "%s firmware size == %zu\n", fw_name, fw_size);

+	if (fw_size > FW_FILE_MAX_SIZE) {
+		dev_err(hdev->dev,
+			"FW file size %zu exceeds maximum of %u bytes\n",
+			fw_size, FW_FILE_MAX_SIZE);
+		rc = -EINVAL;
+		goto out;
+	}
+
 	fw_data = (const u64 *) fw->data;

 	memcpy_toio(dst, fw_data, fw_size);