ANDROID: firmware_loader: Fix a buffer underflow in firmware_param_path_get()

Bart Van Assche · Treehugger Robot · commit 445fb9b8ccd1 · 2025-10-06T15:45:44.000-07:00
Fix the following KASAN complaint: BUG: KASAN: slab-out-of-bounds in firmware_param_path_get+0x11e/0x130 Write of size 1 at addr ffff888156945fff by task dracut/7151 CPU: 114 UID: 0 PID: 7151 Comm: dracut Not tainted 6.12.23-dbg torvalds#14 b37048002fbe82089398ca883b3197e4fe6e7ef6 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 Call Trace: <TASK> show_stack+0x4d/0x60 dump_stack_lvl+0x61/0x80 print_address_description.constprop.0+0x8b/0x320 print_report+0xe7/0x1c5 kasan_report+0xd1/0x1c0 __asan_report_store1_noabort+0x1b/0x20 firmware_param_path_get+0x11e/0x130 param_attr_show+0x13b/0x200 module_attr_show+0x46/0x70 sysfs_kf_seq_show+0x1f2/0x350 kernfs_seq_show+0x118/0x160 seq_read_iter+0x2bb/0x1040 kernfs_fop_read_iter+0xe9/0x150 vfs_read+0x711/0xd40 ksys_read+0x10b/0x200 __x64_sys_read+0x76/0xb0 x64_sys_call+0x1678/0x1790 do_syscall_64+0x92/0x180 entry_SYSCALL_64_after_hwframe+0x4b/0x53 </TASK> Allocated by task 7093: kasan_save_stack+0x2f/0x50 kasan_save_track+0x18/0x40 kasan_save_alloc_info+0x3b/0x50 __kasan_kmalloc+0xaf/0xc0 __kmalloc_node_noprof+0x1cd/0x4c0 __kvmalloc_node_noprof+0x55/0x100 seq_read_iter+0x6af/0x1040 proc_reg_read_iter+0x1a6/0x270 vfs_read+0x711/0xd40 ksys_read+0x10b/0x200 __x64_sys_read+0x76/0xb0 x64_sys_call+0x1678/0x1790 do_syscall_64+0x92/0x180 entry_SYSCALL_64_after_hwframe+0x4b/0x53 Freed by task 7093: kasan_save_stack+0x2f/0x50 kasan_save_track+0x18/0x40 kasan_save_free_info+0x3f/0x50 __kasan_slab_free+0x56/0x70 kfree+0x13b/0x3f0 kvfree+0x2d/0x40 single_release+0x77/0xc0 close_pdeo.part.0+0xe3/0x2d0 close_pdeo+0x155/0x170 proc_reg_release+0x16d/0x1d0 __fput+0x356/0xa40 __fput_sync+0x2f/0x40 __x64_sys_close+0x81/0xd0 x64_sys_call+0x11fc/0x1790 do_syscall_64+0x92/0x180 entry_SYSCALL_64_after_hwframe+0x4b/0x53 Bug: 420669812 Test: blktests nvme/044 Fixes: ac1a02d ("ANDROID: firmware_loader: Add support for customer firmware paths") Change-Id: I1fbf1f8d48e4611468e2ad80650001afdd3ea784 Signed-off-by: Bart Van Assche <bvanassche@google.com>
diff --git a/drivers/base/firmware_loader/main.c b/drivers/base/firmware_loader/main.c
@@ -531,6 +531,9 @@ static int firmware_param_path_get(char *buffer, const struct kernel_param *kp)
 			count += scnprintf(buffer + count, PATH_SIZE, "%s%s", fw_path_para[i], ",");
 	}
 
+	if (count == 0)
+		return 0;
+
 	buffer[count - 1] = '\0';
 
 	return count - 1;

Original file line number	Diff line number	Diff line change
`@@ -531,6 +531,9 @@ static int firmware_param_path_get(char buffer, const struct kernel_param kp)`
`531`	`531`	`count += scnprintf(buffer + count, PATH_SIZE, "%s%s", fw_path_para[i], ",");`
`532`	`532`	`}`
`533`	`533`
	`534`	`+ if (count == 0)`
	`535`	`+ return 0;`
	`536`	`+`
`534`	`537`	`buffer[count - 1] = '\0';`
`535`	`538`
`536`	`539`	`return count - 1;`