From: Samuel Moelius Date: Fri, 5 Jun 2026 00:30:37 +0000 (+0000) Subject: lib/test_firmware: allocate the configured into_buf size X-Git-Tag: v7.2-rc1~77^2~8 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=f2737dc40d2ef3e9f3f9395d61f53f6668306a71;p=thirdparty%2Fkernel%2Flinux.git lib/test_firmware: allocate the configured into_buf size The batched into_buf test path allocates TEST_FIRMWARE_BUF_SIZE bytes unconditionally, but then passes test_fw_config->buf_size to request_firmware_into_buf() or request_partial_firmware_into_buf(). Userspace can set config_buf_size above TEST_FIRMWARE_BUF_SIZE before triggering a batched request. If the firmware file is large enough, the firmware loader writes past the end of the 1 KiB test buffer. Allocate the buffer with the same size that the test passes to the firmware API so config_buf_size remains the actual buffer size under test. Assisted-by: Codex:gpt-5.5-cyber-preview Link: https://lore.kernel.org/20260605003038.2005840-1-sam.moelius@trailofbits.com Signed-off-by: Samuel Moelius Reviewed-by: Andrew Morton Cc: Kees Cook Cc: Luis R. Rodriguez Cc: Scott Branden Signed-off-by: Andrew Morton --- diff --git a/lib/test_firmware.c b/lib/test_firmware.c index b471d720879a7..7459bba65444d 100644 --- a/lib/test_firmware.c +++ b/lib/test_firmware.c @@ -867,7 +867,7 @@ static int test_fw_run_batch_request(void *data) if (test_fw_config->into_buf) { void *test_buf; - test_buf = kzalloc(TEST_FIRMWARE_BUF_SIZE, GFP_KERNEL); + test_buf = kzalloc(test_fw_config->buf_size, GFP_KERNEL); if (!test_buf) return -ENOMEM;