From 475ddacc32bb904783a7ebeaabf56c267c4c3a88 Mon Sep 17 00:00:00 2001 From: Liam Girdwood Date: Thu, 11 Jun 2026 14:31:24 +0100 Subject: [PATCH 1/2] lib_manager: bound build info offset to the library size The build info pointer was derived from a manifest-supplied text segment offset without bounds, so a crafted manifest could read outside the library buffer. Validate the offset against the library image size before dereferencing and fail the module type lookup otherwise. Signed-off-by: Liam Girdwood --- src/library_manager/lib_manager.c | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/src/library_manager/lib_manager.c b/src/library_manager/lib_manager.c index e090a321a056..a639504cbf7b 100644 --- a/src/library_manager/lib_manager.c +++ b/src/library_manager/lib_manager.c @@ -567,6 +567,8 @@ static enum buildinfo_mod_type lib_manager_get_module_type(const struct sof_man_ const struct sof_module_api_build_info *const build_info = (const struct sof_module_api_build_info *)((const char *)desc - SOF_MAN_ELF_TEXT_OFFSET + mod->segment[SOF_MAN_SEGMENT_TEXT].file_offset); + const size_t lib_size = (size_t)desc->header.preload_page_count * PAGE_SZ; + const uint32_t text_off = mod->segment[SOF_MAN_SEGMENT_TEXT].file_offset; /* * llext modules store build info structure in separate section which is not accessible now. @@ -574,6 +576,17 @@ static enum buildinfo_mod_type lib_manager_get_module_type(const struct sof_man_ if (module_is_llext(mod)) return MOD_TYPE_LLEXT; + /* + * build_info is derived from a manifest-supplied file_offset; bound it + * against the library image size before dereferencing so a crafted + * offset cannot read outside the library buffer. + */ + if (text_off > lib_size || lib_size - text_off < sizeof(*build_info)) { + tr_err(&lib_manager_tr, "Invalid TEXT file_offset %u, lib_size %zu", + text_off, lib_size); + return MOD_TYPE_INVALID; + } + tr_info(&lib_manager_tr, "Module API version: %u.%u.%u, format: 0x%x", build_info->api_version_number.fields.major, build_info->api_version_number.fields.middle, From 7d796ce9f5d3f7e9fa2605edf2bd833994e4b527 Mon Sep 17 00:00:00 2001 From: Liam Girdwood Date: Thu, 11 Jun 2026 14:31:24 +0100 Subject: [PATCH 2/2] lib_manager: check context allocation on dram restore The resume path allocated a library context and immediately wrote through it without a NULL check, crashing under memory pressure. Check the allocation and fail the restore gracefully. Signed-off-by: Liam Girdwood --- src/library_manager/llext_manager_dram.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/src/library_manager/llext_manager_dram.c b/src/library_manager/llext_manager_dram.c index 25c00f47b4e1..2f6cff2b3501 100644 --- a/src/library_manager/llext_manager_dram.c +++ b/src/library_manager/llext_manager_dram.c @@ -200,10 +200,14 @@ int llext_manager_restore_from_dram(void) continue; } - /* Panics on failure - use the same zone as during the first boot */ struct lib_manager_mod_ctx *ctx = rmalloc(SOF_MEM_FLAG_KERNEL | SOF_MEM_FLAG_COHERENT, sizeof(*ctx)); + if (!ctx) { + tr_err(&lib_manager_tr, "library context allocation failure"); + goto nomem; + } + /* Restore the library context */ *ctx = lib_manager_dram.ctx[j++];