thesofproject · lgirdwood · Jun 11, 2026 · Jun 11, 2026
@@ -574,6 +574,21 @@ static enum buildinfo_mod_type lib_manager_get_module_type(const struct sof_man_
 	if (module_is_llext(mod))
 		return MOD_TYPE_LLEXT;
 
+	/*
+	 * build_info is derived from a manifest-supplied file_offset; bound it
+	 * against the library image size before dereferencing so a crafted
+	 * offset cannot read outside the library buffer.
+	 */
+	{
+		const size_t lib_size = (size_t)desc->header.preload_page_count * PAGE_SZ;
+		const uint32_t text_off = mod->segment[SOF_MAN_SEGMENT_TEXT].file_offset;
+
+		if (text_off > lib_size || lib_size - text_off < sizeof(*build_info)) {
+			tr_err(&lib_manager_tr, "Invalid TEXT file_offset %u", text_off);
+			return MOD_TYPE_INVALID;
+		}
+	}
+
 	tr_info(&lib_manager_tr, "Module API version: %u.%u.%u, format: 0x%x",
 		build_info->api_version_number.fields.major,
 		build_info->api_version_number.fields.middle,

@@ -200,10 +200,14 @@ int llext_manager_restore_from_dram(void)
 			continue;
 		}
 
-		/* Panics on failure - use the same zone as during the first boot */
 		struct lib_manager_mod_ctx *ctx = rmalloc(SOF_MEM_FLAG_KERNEL | SOF_MEM_FLAG_COHERENT,
 							  sizeof(*ctx));
 
+		if (!ctx) {
+			tr_err(&lib_manager_tr, "library context allocation failure");
+			goto nomem;
+		}
+
 		/* Restore the library context */
 		*ctx = lib_manager_dram.ctx[j++];