From nobody Mon Feb  9 01:21:35 2026
Received: from smtp109.iad3b.emailsrvr.com (smtp109.iad3b.emailsrvr.com
 [146.20.161.109])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id DAE2A219A71
	for <linux-kernel@vger.kernel.org>; Thu,  5 Feb 2026 13:56:26 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=146.20.161.109
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1770299787; cv=none;
 b=ahwJwUhbVm+z+xeqLRSo66q2sQeTLpaROQcNkSqXPuzGJwuS81U2xG2Po0t9Ki5zvDMYYe+2z41qm7Kr4C8oFXhpoIB+whybA8yN8VCtXmS3r78sdlI8YxFxDwxDdMZgYmWO41pSBc9Mbc3I4DaBEaTZvHQT0ZdTx/wuYS0mVyk=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1770299787; c=relaxed/simple;
	bh=6RFjsnwE7oRBF/UOXwO8EHiTojFkgrhOShswYXvJUFE=;
	h=From:To:Cc:Subject:Date:Message-ID:MIME-Version;
 b=LBCVGUIse8N0nLMkX4Ii0sv9XcQCXkYabRMpaqTzbB7cy3PXsYUtsvC2TfIt//a/YuDd5HW3lYMrhMNFI+Vm65lpH2ikI61WaNSXEEymRXK/Uni2nRlIGw3UCUONG+Ja8bDdEHDIw3XVgjwHKrauvgYoYI+QEqkXiaWzs7MPA7g=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=mev.co.uk;
 spf=pass smtp.mailfrom=mev.co.uk;
 dkim=pass (1024-bit key) header.d=mev.co.uk header.i=@mev.co.uk
 header.b=yJbtVxFn; arc=none smtp.client-ip=146.20.161.109
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=mev.co.uk
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=mev.co.uk
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=mev.co.uk header.i=@mev.co.uk
 header.b="yJbtVxFn"
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=mev.co.uk;
	s=20221208-6x11dpa4; t=1770298805;
	bh=6RFjsnwE7oRBF/UOXwO8EHiTojFkgrhOShswYXvJUFE=;
	h=From:To:Subject:Date:From;
	b=yJbtVxFnrIkNDVgQyIvkvhVdPmY35/Qo6g9cX5zsMp2e84ro3l1njHkT0YnlzFs6A
	 yhaO46nYVxG/PNEFj6vMb3HPinV+Rs9MimI1N5TzAQzV9paChjFR6KlC904aPTH+o5
	 S+MaIPmQcbHagYen9k/FE+jAQLIRoT7vn60YlN4U=
X-Auth-ID: abbotti@mev.co.uk
Received: by smtp22.relay.iad3b.emailsrvr.com (Authenticated sender:
 abbotti-AT-mev.co.uk) with ESMTPSA id E34036029C;
	Thu,  5 Feb 2026 08:40:04 -0500 (EST)
From: Ian Abbott <abbotti@mev.co.uk>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	Ian Abbott <abbotti@mev.co.uk>,
	H Hartley Sweeten <hsweeten@visionengravers.com>,
	stable@vger.kernel.org
Subject: [PATCH] comedi: me4000: Fix potential overrun of firmware buffer
Date: Thu,  5 Feb 2026 13:39:49 +0000
Message-ID: <20260205133949.71722-1-abbotti@mev.co.uk>
X-Mailer: git-send-email 2.51.0
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
X-Classification-ID: b0f65736-4d63-416c-bbcc-335a45d6056c-1-1
Content-Type: text/plain; charset="utf-8"

`me4000_xilinx_download()` loads the firmware that was requested by
`request_firmware()`.  It is possible for it to overrun the source
buffer because it blindly trusts the file format.  It reads a data
stream length from the first 4 bytes into variable `file_length` and
reads the data stream contents of length `file_length` from offset 16
onwards.

Add a test to ensure that the supplied firmware is long enough to
contain the header and the data stream.  On failure, log an error and
return `-EINVAL`.

Note: The firmware loading was totally broken before commit ac584af59945
("staging: comedi: me4000: fix firmware downloading"), but that is the
most sensible target for this fix.

Fixes: ac584af59945 ("staging: comedi: me4000: fix firmware downloading")
Cc: <stable@vger.kernel.org>
Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
---
 drivers/comedi/drivers/me4000.c | 16 ++++++++++++----
 1 file changed, 12 insertions(+), 4 deletions(-)

diff --git a/drivers/comedi/drivers/me4000.c b/drivers/comedi/drivers/me400=
0.c
index 7dd3a0071863..effe9fdbbafe 100644
--- a/drivers/comedi/drivers/me4000.c
+++ b/drivers/comedi/drivers/me4000.c
@@ -315,6 +315,18 @@ static int me4000_xilinx_download(struct comedi_device=
 *dev,
 	unsigned int val;
 	unsigned int i;
=20
+	/* Get data stream length from header. */
+	if (size >=3D 4) {
+		file_length =3D (((unsigned int)data[0] & 0xff) << 24) +
+			      (((unsigned int)data[1] & 0xff) << 16) +
+			      (((unsigned int)data[2] & 0xff) << 8) +
+			      ((unsigned int)data[3] & 0xff);
+	}
+	if (size < 16 || file_length > size - 16) {
+		dev_err(dev->class_dev, "Firmware length inconsistency\n");
+		return -EINVAL;
+	}
+
 	if (!xilinx_iobase)
 		return -ENODEV;
=20
@@ -346,10 +358,6 @@ static int me4000_xilinx_download(struct comedi_device=
 *dev,
 	outl(val, devpriv->plx_regbase + PLX9052_CNTRL);
=20
 	/* Download Xilinx firmware */
-	file_length =3D (((unsigned int)data[0] & 0xff) << 24) +
-		      (((unsigned int)data[1] & 0xff) << 16) +
-		      (((unsigned int)data[2] & 0xff) << 8) +
-		      ((unsigned int)data[3] & 0xff);
 	usleep_range(10, 1000);
=20
 	for (i =3D 0; i < file_length; i++) {
--=20
2.51.0