[PATCH 6/7] remoteproc: validate resource table offset count

Next message: Pengpeng Hou: "[PATCH 4/7] fs/ntfs3: leave room for the UTF-8 terminator"
Previous message: Pengpeng Hou: "[PATCH 5/7] exfat: leave room for the UTF-8 terminator"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Pengpeng Hou

Date: Mon Mar 23 2026 - 03:07:46 EST

rproc_handle_resources() trusts table_ptr->num when it walks the offset[]
array, but it does not first verify that the loaded resource table is
large enough to actually contain that many offsets. A malformed firmware
image can therefore force the loop to read past the end of the table
header before any per-entry bounds checks run.

Reject resource tables whose offset array does not fit inside the loaded
section.

Signed-off-by: Pengpeng Hou <pengpeng@xxxxxxxxxxx>
---
drivers/remoteproc/remoteproc_core.c | 6 ++++++
1 file changed, 6 insertions(+)

diff --git a/drivers/remoteproc/remoteproc_core.c b/drivers/remoteproc/remoteproc_core.c
index b087ed21858a..47fdfe5c2124 100644
--- a/drivers/remoteproc/remoteproc_core.c
+++ b/drivers/remoteproc/remoteproc_core.c
@@ -1022,6 +1022,12 @@ static int rproc_handle_resources(struct rproc *rproc,
if (!rproc->table_ptr)
return 0;

+ if (struct_size(rproc->table_ptr, offset,
+ rproc->table_ptr->num) > rproc->table_sz) {
+ dev_err(dev, "resource table is truncated\n");
+ return -EINVAL;
+ }
+
for (i = 0; i < rproc->table_ptr->num; i++) {
int offset = rproc->table_ptr->offset[i];
struct fw_rsc_hdr *hdr = (void *)rproc->table_ptr + offset;
--
2.50.1 (Apple Git-155)