CVE-2024-39291

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/amdgpu: Fix buffer size in gfx_v9_4_3_init_ cp_compute_microcode() and rlc_microcode()<br /> <br /> The function gfx_v9_4_3_init_microcode in gfx_v9_4_3.c was generating<br /> about potential truncation of output when using the snprintf function.<br /> The issue was due to the size of the buffer &amp;#39;ucode_prefix&amp;#39; being too<br /> small to accommodate the maximum possible length of the string being<br /> written into it.<br /> <br /> The string being written is "amdgpu/%s_mec.bin" or "amdgpu/%s_rlc.bin",<br /> where %s is replaced by the value of &amp;#39;chip_name&amp;#39;. The length of this<br /> string without the %s is 16 characters. The warning message indicated<br /> that &amp;#39;chip_name&amp;#39; could be up to 29 characters long, resulting in a total<br /> of 45 characters, which exceeds the buffer size of 30 characters.<br /> <br /> To resolve this issue, the size of the &amp;#39;ucode_prefix&amp;#39; buffer has been<br /> reduced from 30 to 15. This ensures that the maximum possible length of<br /> the string being written into the buffer will not exceed its size, thus<br /> preventing potential buffer overflow and truncation issues.<br /> <br /> Fixes the below with gcc W=1:<br /> drivers/gpu/drm/amd/amdgpu/gfx_v9_4_3.c: In function ‘gfx_v9_4_3_early_init’:<br /> drivers/gpu/drm/amd/amdgpu/gfx_v9_4_3.c:379:52: warning: ‘%s’ directive output may be truncated writing up to 29 bytes into a region of size 23 [-Wformat-truncation=]<br /> 379 | snprintf(fw_name, sizeof(fw_name), "amdgpu/%s_rlc.bin", chip_name);<br /> | ^~<br /> ......<br /> 439 | r = gfx_v9_4_3_init_rlc_microcode(adev, ucode_prefix);<br /> | ~~~~~~~~~~~~<br /> drivers/gpu/drm/amd/amdgpu/gfx_v9_4_3.c:379:9: note: ‘snprintf’ output between 16 and 45 bytes into a destination of size 30<br /> 379 | snprintf(fw_name, sizeof(fw_name), "amdgpu/%s_rlc.bin", chip_name);<br /> | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /> drivers/gpu/drm/amd/amdgpu/gfx_v9_4_3.c:413:52: warning: ‘%s’ directive output may be truncated writing up to 29 bytes into a region of size 23 [-Wformat-truncation=]<br /> 413 | snprintf(fw_name, sizeof(fw_name), "amdgpu/%s_mec.bin", chip_name);<br /> | ^~<br /> ......<br /> 443 | r = gfx_v9_4_3_init_cp_compute_microcode(adev, ucode_prefix);<br /> | ~~~~~~~~~~~~<br /> drivers/gpu/drm/amd/amdgpu/gfx_v9_4_3.c:413:9: note: ‘snprintf’ output between 16 and 45 bytes into a destination of size 30<br /> 413 | snprintf(fw_name, sizeof(fw_name), "amdgpu/%s_mec.bin", chip_name);<br /> | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~