soc: qcom: pil: Avoid possible buffer overflow during Modem boot

Buffer overflow can occur if MBA firmware size exceeds 1MB. So validate size before copying the firmware. CRs-Fixed: 2001803 Change-Id: I070ddf85fbc47df072e7258369272366262ebf46 Signed-off-by: Kishor PK <kpbhat@codeaurora.org>
author: Kishor PK <kpbhat@codeaurora.org> 2017-03-30 14:23:37 +0530
committer: Gerrit - the friendly Code Review server <code-review@localhost> 2017-04-20 02:04:43 -0700
commit: cae0d5a6f32e52e06c0841bb7142452062dc2ac8 (patch)
tree: 9c8536beb927260a7a5adfae257cf33b970df875 /drivers/soc/qcom
parent: 7514c164f1207f5596ce680c8dbf957e3b969133 (diff)
1 files changed, 9 insertions, 1 deletions
diff --git a/drivers/soc/qcom/pil-msa.c b/drivers/soc/qcom/pil-msa.c
index 53bddc5987df..988b6e8c9fd9 100644
--- a/drivers/soc/qcom/pil-msa.c
+++ b/drivers/soc/qcom/pil-msa.c
@@ -616,7 +616,15 @@ int pil_mss_reset_load_mba(struct pil_desc *pil)
 
 	/* Load the MBA image into memory */
 	count = fw->size;
-	memcpy(mba_dp_virt, data, count);
+	if (count <= SZ_1M) {
+		/* Ensures memcpy is done for max 1MB fw size */
+		memcpy(mba_dp_virt, data, count);
+	} else {
+		dev_err(pil->dev, "%s fw image loading into memory is failed due to fw size overflow\n",
+			__func__);
+		 ret = -EINVAL;
+		 goto err_mba_data;
+	}
 	/* Ensure memcpy of the MBA memory is done before loading the DP */
 	wmb();
author	Kishor PK <kpbhat@codeaurora.org>	2017-03-30 14:23:37 +0530
committer	Gerrit - the friendly Code Review server <code-review@localhost>	2017-04-20 02:04:43 -0700
commit	cae0d5a6f32e52e06c0841bb7142452062dc2ac8 (patch)
tree	9c8536beb927260a7a5adfae257cf33b970df875 /drivers/soc/qcom
parent	7514c164f1207f5596ce680c8dbf957e3b969133 (diff)