From nobody Sat Feb  7 06:20:44 2026
Received: from smtp105.iad3b.emailsrvr.com (smtp105.iad3b.emailsrvr.com
 [146.20.161.105])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id BD86828E00
	for <linux-kernel@vger.kernel.org>; Thu,  5 Feb 2026 14:11:26 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=146.20.161.105
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1770300686; cv=none;
 b=ABbtB+aBijpGUrhFiB7wEUC6JT6zblW7LKLMiaHdIwS6P0YczTKxulFGQo9Lh95hrg3PzwsE2jwpfYCHsn/eUc3K4l+qztRcPBYP/P9zeNNfgCCJXnG7idNeDRXGNCMvcZ/CjpSIiEagqyScpb7/0u3pEmt7RHVh2vg0q4sNHfg=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1770300686; c=relaxed/simple;
	bh=Kh/c3EgSWaE34dStd7ZhLaGQD/ZXd875rbFUsvE2IdY=;
	h=From:To:Cc:Subject:Date:Message-ID:MIME-Version;
 b=tQSlwNSYzNIMXc+iqCqRxx5175GPowx7VmbmNAMvTZbHyr3+wi37ueHlEt6i1XjkX6uYeYi5gZR/Cz03SfLh3E8YyuI6kuOz5bZfEmhSwpn3WaIKi0APSvvICT1rf5ONca5IiVuSKUEWjRsf6ZBkVgXpa+gfzhs9oVj4H0wFUjs=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=mev.co.uk;
 spf=pass smtp.mailfrom=mev.co.uk;
 dkim=pass (1024-bit key) header.d=mev.co.uk header.i=@mev.co.uk
 header.b=LEtRJA8b; arc=none smtp.client-ip=146.20.161.105
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=mev.co.uk
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=mev.co.uk
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=mev.co.uk header.i=@mev.co.uk
 header.b="LEtRJA8b"
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=mev.co.uk;
	s=20221208-6x11dpa4; t=1770300101;
	bh=Kh/c3EgSWaE34dStd7ZhLaGQD/ZXd875rbFUsvE2IdY=;
	h=From:To:Subject:Date:From;
	b=LEtRJA8bFFVz90dNeHYDPIQbF9rLvYviFLZuKeSA5yEWirrhnNkD51RMT0VYrb8ey
	 xW13s7vgBZKPdDAkIVqsgcsG5/oFMZW3XAAndwYj8DSUrRkLKekBlwKjOD9quBMGgK
	 XmvuZzGzho4VfQuPoxWKo0DpMUU8pCk230KH3VSs=
X-Auth-ID: abbotti@mev.co.uk
Received: by smtp22.relay.iad3b.emailsrvr.com (Authenticated sender:
 abbotti-AT-mev.co.uk) with ESMTPSA id 365C3602F2;
	Thu,  5 Feb 2026 09:01:41 -0500 (EST)
From: Ian Abbott <abbotti@mev.co.uk>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	Ian Abbott <abbotti@mev.co.uk>,
	H Hartley Sweeten <hsweeten@visionengravers.com>,
	stable@vger.kernel.org
Subject: [PATCH] comedi: me_daq: Fix potential overrun of firmware buffer
Date: Thu,  5 Feb 2026 14:01:30 +0000
Message-ID: <20260205140130.76697-1-abbotti@mev.co.uk>
X-Mailer: git-send-email 2.51.0
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
X-Classification-ID: 79309c74-3530-4dd5-bfaf-2608ccd316b7-1-1
Content-Type: text/plain; charset="utf-8"

`me2600_xilinx_download()` loads the firmware that was requested by
`request_firmware()`.  It is possible for it to overrun the source
buffer because it blindly trusts the file format.  It reads a data
stream length from the first 4 bytes into variable `file_length` and
reads the data stream contents of length `file_length` from offset 16
onwards.  Although it checks that the supplied firmware is at least 16
bytes long, it does not check that it is long enough to contain the data
stream.

Add a test to ensure that the supplied firmware is long enough to
contain the header and the data stream.  On failure, log an error and
return `-EINVAL`.

Fixes: 85acac61096f9 ("Staging: comedi: add me_daq driver")
Cc: <stable@vger.kernel.org>
Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
---
 drivers/comedi/drivers/me_daq.c | 35 ++++++++++++++++++---------------
 1 file changed, 19 insertions(+), 16 deletions(-)

diff --git a/drivers/comedi/drivers/me_daq.c b/drivers/comedi/drivers/me_da=
q.c
index 076b15097afd..2f2ea029cffc 100644
--- a/drivers/comedi/drivers/me_daq.c
+++ b/drivers/comedi/drivers/me_daq.c
@@ -344,6 +344,25 @@ static int me2600_xilinx_download(struct comedi_device=
 *dev,
 	unsigned int file_length;
 	unsigned int i;
=20
+	/*
+	 * Format of the firmware
+	 * Build longs from the byte-wise coded header
+	 * Byte 1-3:   length of the array
+	 * Byte 4-7:   version
+	 * Byte 8-11:  date
+	 * Byte 12-15: reserved
+	 */
+	if (size >=3D 4) {
+		file_length =3D (((unsigned int)data[0] & 0xff) << 24) +
+			      (((unsigned int)data[1] & 0xff) << 16) +
+			      (((unsigned int)data[2] & 0xff) << 8) +
+			      ((unsigned int)data[3] & 0xff);
+	}
+	if (size < 16 || file_length > size - 16) {
+		dev_err(dev->class_dev, "Firmware length inconsistency\n");
+		return -EINVAL;
+	}
+
 	/* disable irq's on PLX */
 	writel(0x00, devpriv->plx_regbase + PLX9052_INTCSR);
=20
@@ -357,22 +376,6 @@ static int me2600_xilinx_download(struct comedi_device=
 *dev,
 	writeb(0x00, dev->mmio + 0x0);
 	sleep(1);
=20
-	/*
-	 * Format of the firmware
-	 * Build longs from the byte-wise coded header
-	 * Byte 1-3:   length of the array
-	 * Byte 4-7:   version
-	 * Byte 8-11:  date
-	 * Byte 12-15: reserved
-	 */
-	if (size < 16)
-		return -EINVAL;
-
-	file_length =3D (((unsigned int)data[0] & 0xff) << 24) +
-	    (((unsigned int)data[1] & 0xff) << 16) +
-	    (((unsigned int)data[2] & 0xff) << 8) +
-	    ((unsigned int)data[3] & 0xff);
-
 	/*
 	 * Loop for writing firmware byte by byte to xilinx
 	 * Firmware data start at offset 16
--=20
2.51.0