AMD General ping ...
Thanks, Feifei -----Original Message----- From: Feifei Xu <[email protected]> Sent: Friday, May 15, 2026 2:58 PM To: [email protected] Cc: Xu, Feifei <[email protected]>; Deucher, Alexander <[email protected]>; Zhang, Hawking <[email protected]> Subject: [PATCH 1/2] drm/amdgpu: Add size guard before copy discovery binary Fix the firmware blob copied into fixed-size buffer without length check. Signed-off-by: Feifei Xu <[email protected]> --- drivers/gpu/drm/amd/amdgpu/amdgpu_discovery.c | 20 +++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_discovery.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_discovery.c index 8e3b6a4050e9..c9073935e1a4 100644 --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_discovery.c +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_discovery.c @@ -396,6 +396,26 @@ static int amdgpu_discovery_read_binary_from_file(struct amdgpu_device *adev, return r; } + if (fw->size > adev->discovery.size) { + dev_err(adev->dev, + "ip discovery firmware \"%s\" too large (%zu > %u)\n", + fw_name, fw->size, adev->discovery.size); + release_firmware(fw); + return -EINVAL; + } + + /* Ensure the firmware is at least large enough to contain the + * binary header fields. + */ + if (fw->size < offsetof(struct binary_header, binary_size) + + sizeof(((struct binary_header *)0)->binary_size)) { + dev_err(adev->dev, + "ip discovery firmware \"%s\" too small (%zu)\n", + fw_name, fw->size); + release_firmware(fw); + return -EINVAL; + } + memcpy((u8 *)binary, (u8 *)fw->data, fw->size); release_firmware(fw); -- 2.34.1
