On Wed, May 20, 2020 at 06:52:21PM -0500, Li Yang wrote:
On Mon, May 18, 2020 at 5:57 PM Kees Cook [off-list ref] wrote:
quoted
Hm, looking at this code, I see a few other things that need to be
fixed:
1) drivers/tty/serial/ucc_uart.c does not do a be32_to_cpu() conversion
on the length test (understandably, a little-endian system has never run
this code since it's ppc specific), but it's still wrong:
if (firmware->header.length != fw->size) {
compare to the firmware loader:
length = be32_to_cpu(hdr->length);
2) drivers/soc/fsl/qe/qe.c does not perform bounds checking on the
per-microcode offsets, so the uploader might send data outside the
firmware buffer. Perhaps:
We do validate the CRC for each microcode, it is unlikely the CRC
check can pass if the offset or length is not correct. But you are
probably right that it will be safer to check the boundary and fail
Right, but a malicious firmware file could still match CRC but trick the
kernel code.
quicker before we actually start the CRC check. Will you come up with
a formal patch or you want us to deal with it?
It sounds like Gustavo will be sending one, though I don't think either
of us have the hardware to test it with, so if you could do that part,
that would be great! :)
--
Kees Cook