[PATCH 1/2] drm/amdgpu: Add size guard before copy discovery binary

Thu, 14 May 2026 23:58:09 -0700 

Fix the firmware blob copied into fixed-size buffer without length check.

Signed-off-by: Feifei Xu <[email protected]>
---
 drivers/gpu/drm/amd/amdgpu/amdgpu_discovery.c | 20 +++++++++++++++++++
 1 file changed, 20 insertions(+)

diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_discovery.c 
b/drivers/gpu/drm/amd/amdgpu/amdgpu_discovery.c
index 8e3b6a4050e9..c9073935e1a4 100644
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_discovery.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_discovery.c
@@ -396,6 +396,26 @@ static int amdgpu_discovery_read_binary_from_file(struct 
amdgpu_device *adev,
                return r;
        }
 
+       if (fw->size > adev->discovery.size) {
+               dev_err(adev->dev,
+                       "ip discovery firmware \"%s\" too large (%zu > %u)\n",
+                       fw_name, fw->size, adev->discovery.size);
+               release_firmware(fw);
+               return -EINVAL;
+       }
+
+       /* Ensure the firmware is at least large enough to contain the
+        * binary header fields.
+        */
+       if (fw->size < offsetof(struct binary_header, binary_size) +
+                       sizeof(((struct binary_header *)0)->binary_size)) {
+               dev_err(adev->dev,
+                       "ip discovery firmware \"%s\" too small (%zu)\n",
+                       fw_name, fw->size);
+               release_firmware(fw);
+               return -EINVAL;
+       }
+
        memcpy((u8 *)binary, (u8 *)fw->data, fw->size);
        release_firmware(fw);
 
-- 
2.34.1

Reply via email to