staging: brcm80211: added firmware validation

Fix for https://bugzilla.kernel.org/show_bug.cgi?id=21872

New function wl_check_firmwares() checks validity of all firmware images
loaded from user space.

Signed-off-by: Roland Vossen <rvossen@broadcom.com>
Cc: stable <stable@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

3 files changed, 60 insertions, 2 deletions

diff --git a/drivers/staging/brcm80211/sys/wl_mac80211.c b/drivers/staging/brcm80211/sys/wl_mac80211.c
index 364b34986621..d41212bca633 100644
--- a/drivers/staging/brcm80211/sys/wl_mac80211.c
+++ b/drivers/staging/brcm80211/sys/wl_mac80211.c
@@ -1776,8 +1776,7 @@ static int wl_request_fw(struct wl_info *wl, struct pci_dev *pdev)
 			 wl->fw.hdr_num_entries[i]));
 	}
 	wl->fw.fw_cnt = i;
-	wl_ucode_data_init(wl);
-	return 0;
+	return wl_ucode_data_init(wl);
 }
 
 void wl_ucode_free_buf(void *p)
@@ -1793,3 +1792,54 @@ static void wl_release_fw(struct wl_info *wl)
 		release_firmware(wl->fw.fw_hdr[i]);
 	}
 }
+
+
+/*
+ * checks validity of all firmware images loaded from user space
+ */
+int wl_check_firmwares(struct wl_info *wl)
+{
+	int i;
+	int entry;
+	int rc = 0;
+	const struct firmware *fw;
+	const struct firmware *fw_hdr;
+	struct wl_fw_hdr *ucode_hdr;
+	for (i = 0; i < WL_MAX_FW && rc == 0; i++) {
+		fw =  wl->fw.fw_bin[i];
+		fw_hdr = wl->fw.fw_hdr[i];
+		if (fw == NULL && fw_hdr == NULL) {
+			break;
+		} else if (fw == NULL || fw_hdr == NULL) {
+			WL_ERROR(("%s: invalid bin/hdr fw\n", __func__));
+			rc = -EBADF;
+		} else if (fw_hdr->size % sizeof(struct wl_fw_hdr)) {
+			WL_ERROR(("%s: non integral fw hdr file size %d/%d\n",
+				  __func__, fw_hdr->size,
+				  sizeof(struct wl_fw_hdr)));
+			rc = -EBADF;
+		} else if (fw->size < MIN_FW_SIZE || fw->size > MAX_FW_SIZE) {
+			WL_ERROR(("%s: out of bounds fw file size %d\n",
+				  __func__, fw->size));
+			rc = -EBADF;
+		} else {
+			/* check if ucode section overruns firmware image */
+			ucode_hdr = (struct wl_fw_hdr *)fw_hdr->data;
+			for (entry = 0; entry < wl->fw.hdr_num_entries[i] && rc;
+			     entry++, ucode_hdr++) {
+				if (ucode_hdr->offset + ucode_hdr->len >
+				    fw->size) {
+					WL_ERROR(("%s: conflicting bin/hdr\n",
+						  __func__));
+					rc = -EBADF;
+				}
+			}
+		}
+	}
+	if (rc == 0 && wl->fw.fw_cnt != i) {
+		WL_ERROR(("%s: invalid fw_cnt=%d\n", __func__, wl->fw.fw_cnt));
+		rc = -EBADF;
+	}
+	return rc;
+}
+
diff --git a/drivers/staging/brcm80211/sys/wl_ucode.h b/drivers/staging/brcm80211/sys/wl_ucode.h
index b797ab661195..2a0f4028f6f3 100644
--- a/drivers/staging/brcm80211/sys/wl_ucode.h
+++ b/drivers/staging/brcm80211/sys/wl_ucode.h
@@ -14,6 +14,9 @@
  * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
+#define MIN_FW_SIZE 40000	/* minimum firmware file size in bytes */
+#define MAX_FW_SIZE 150000
+
 typedef struct d11init {
 	u16 addr;
 	u16 size;
@@ -43,3 +46,4 @@ extern int wl_ucode_init_buf(struct wl_info *wl, void **pbuf, unsigned int idx);
 extern int wl_ucode_init_uint(struct wl_info *wl, unsigned *data,
 			      unsigned int idx);
 extern void wl_ucode_free_buf(void *);
+extern int  wl_check_firmwares(struct wl_info *wl);
diff --git a/drivers/staging/brcm80211/sys/wl_ucode_loader.c b/drivers/staging/brcm80211/sys/wl_ucode_loader.c
index acd24726b0f0..23e10f3dec0d 100644
--- a/drivers/staging/brcm80211/sys/wl_ucode_loader.c
+++ b/drivers/staging/brcm80211/sys/wl_ucode_loader.c
@@ -39,6 +39,10 @@ u32 *bcm43xx_bomminor;
 
 int wl_ucode_data_init(struct wl_info *wl)
 {
+	int rc;
+	rc = wl_check_firmwares(wl);
+	if (rc < 0)
+		return rc;
 	wl_ucode_init_buf(wl, (void **)&d11lcn0bsinitvals24,
 			  D11LCN0BSINITVALS24);
 	wl_ucode_init_buf(wl, (void **)&d11lcn0initvals24, D11LCN0INITVALS24);