]> git.ipfire.org Git - thirdparty/linux.git/commitdiff
lib/test_firmware: allocate the configured into_buf size
authorSamuel Moelius <sam.moelius@trailofbits.com>
Fri, 5 Jun 2026 00:30:37 +0000 (00:30 +0000)
committerAndrew Morton <akpm@linux-foundation.org>
Thu, 11 Jun 2026 18:42:21 +0000 (11:42 -0700)
The batched into_buf test path allocates TEST_FIRMWARE_BUF_SIZE bytes
unconditionally, but then passes test_fw_config->buf_size to
request_firmware_into_buf() or request_partial_firmware_into_buf().

Userspace can set config_buf_size above TEST_FIRMWARE_BUF_SIZE before
triggering a batched request. If the firmware file is large enough, the
firmware loader writes past the end of the 1 KiB test buffer.

Allocate the buffer with the same size that the test passes to the firmware
API so config_buf_size remains the actual buffer size under test.

Assisted-by: Codex:gpt-5.5-cyber-preview
Link: https://lore.kernel.org/20260605003038.2005840-1-sam.moelius@trailofbits.com
Signed-off-by: Samuel Moelius <sam.moelius@trailofbits.com>
Reviewed-by: Andrew Morton <akpm@linux-foundation.org>
Cc: Kees Cook <kees@kernel.org>
Cc: Luis R. Rodriguez <mcgrof@kernel.org>
Cc: Scott Branden <scott.branden@broadcom.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
lib/test_firmware.c

index b471d720879a70c0db82e605960abe69de28ab4b..7459bba65444d1d153667ab3fc447c375418e938 100644 (file)
@@ -867,7 +867,7 @@ static int test_fw_run_batch_request(void *data)
        if (test_fw_config->into_buf) {
                void *test_buf;
 
-               test_buf = kzalloc(TEST_FIRMWARE_BUF_SIZE, GFP_KERNEL);
+               test_buf = kzalloc(test_fw_config->buf_size, GFP_KERNEL);
                if (!test_buf)
                        return -ENOMEM;