drm/amdgpu: Add size guard before copy discovery binary

Fix the firmware blob copied into fixed-size buffer without length check.

Signed-off-by: Feifei Xu <Feifei.Xu@amd.com>
Reviewed-by: Le Ma <le.ma@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>

diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_discovery.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_discovery.c
index d5d044e7fca72c5bfb1f675f34ae6063d43f865e..b52c9fcf3fc5558576a51f97ea14ffcfa3679e52 100644 (file)
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_discovery.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_discovery.c
@@ -396,6 +396,26 @@ static int amdgpu_discovery_read_binary_from_file(struct amdgpu_device *adev,
                return r;
        }
 
+       if (fw->size > adev->discovery.size) {
+               dev_err(adev->dev,
+                       "ip discovery firmware \"%s\" too large (%zu > %u)\n",
+                       fw_name, fw->size, adev->discovery.size);
+               release_firmware(fw);
+               return -EINVAL;
+       }
+
+       /* Ensure the firmware is at least large enough to contain the
+        * binary header fields.
+        */
+       if (fw->size < offsetof(struct binary_header, binary_size) +
+                       sizeof(((struct binary_header *)0)->binary_size)) {
+               dev_err(adev->dev,
+                       "ip discovery firmware \"%s\" too small (%zu)\n",
+                       fw_name, fw->size);
+               release_firmware(fw);
+               return -EINVAL;
+       }
+
        memcpy((u8 *)binary, (u8 *)fw->data, fw->size);
        release_firmware(fw);