When calling request_firmware_into_buf() with the FW_OPT_NOCACHE flag
it is expected that firmware is loaded into buffer from memory.
But inside alloc_lookup_fw_priv every new firmware that is loaded is
added to the firmware cache (fwc) list head. So if any driver requests
a firmware that is already loaded the code iterates over the above
mentioned list and it can end up giving a pointer to other device driver's
firmware buffer.
Also the existing copy may either be modified by drivers, remote processors
or even freed. This causes a potential security issue with batched requests
when using request_firmware_into_buf.
Fix alloc_lookup_fw_priv to not add to the fwc head list if FW_OPT_NOCACHE
is set, and also don't do the lookup in the list.
Fixes: 0e742e9275 ("firmware: provide infrastructure to make fw caching optional")
Signed-off-by: Vikram Mulukutla <markivx@xxxxxxxxxxxxxx>
Signed-off-by: Rishabh Bhatnagar <rishabhb@xxxxxxxxxxxxxx>
---
Did you test with the tools/testing/selftests/firmware/ scripts? If not please do so and report back and confirm no regressions are found.
Brownie points for you to add a test case to show the issue highlighted in this patch, and which it fixes. I believe this fix should be pushed to stable, so I'll do that after you confirm no regressions were found.
The new selftests changed you'd make would not go to stable, however there are Linux distributions and 0day that test the latest tools directory against older kernels. So this test would help capture gaps later.
 Luis