Re: [PATCH 6/7] remoteproc: validate resource table offset count

Next message: Adam Young: "Re: [net-next v35 1/1] mctp pcc: Implement MCTP over PCC Transport"
Previous message: David Hildenbrand (Arm): "Re: [PATCH mm-new v8 2/4] mm: khugepaged: refine scan progress number"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Mathieu Poirier

Date: Wed Mar 25 2026 - 12:04:46 EST

Good morning,

On Mon, 23 Mar 2026 at 01:04, Pengpeng Hou <pengpeng@xxxxxxxxxxx> wrote:
>
> rproc_handle_resources() trusts table_ptr->num when it walks the offset[]
> array, but it does not first verify that the loaded resource table is
> large enough to actually contain that many offsets. A malformed firmware
> image can therefore force the loop to read past the end of the table
> header before any per-entry bounds checks run.
>
> Reject resource tables whose offset array does not fit inside the loaded
> section.
>
> Signed-off-by: Pengpeng Hou <pengpeng@xxxxxxxxxxx>
> ---
> drivers/remoteproc/remoteproc_core.c | 6 ++++++
> 1 file changed, 6 insertions(+)
>
> diff --git a/drivers/remoteproc/remoteproc_core.c b/drivers/remoteproc/remoteproc_core.c
> index b087ed21858a..47fdfe5c2124 100644
> --- a/drivers/remoteproc/remoteproc_core.c
> +++ b/drivers/remoteproc/remoteproc_core.c
> @@ -1022,6 +1022,12 @@ static int rproc_handle_resources(struct rproc *rproc,
> if (!rproc->table_ptr)
> return 0;
>
> + if (struct_size(rproc->table_ptr, offset,
> + rproc->table_ptr->num) > rproc->table_sz) {

This check is already present in here:
https://elixir.bootlin.com/linux/v7.0-rc5/source/drivers/remoteproc/remoteproc_elf_loader.c#L305

Thanks,
Mathieu

> + dev_err(dev, "resource table is truncated\n");
> + return -EINVAL;
> + }
> +
> for (i = 0; i < rproc->table_ptr->num; i++) {
> int offset = rproc->table_ptr->offset[i];
> struct fw_rsc_hdr *hdr = (void *)rproc->table_ptr + offset;
> --
> 2.50.1 (Apple Git-155)
>