[PATCH -next] firmware: imx: se_ctrl: bound userspace-controlled response buffer size

[pankaj . gupta]

From: Pankaj Gupta <pankaj.gupta@xxxxxxx>

The command-send ioctl path allocates the response buffer directly from a
userspace-provided rx_buf_sz value.

Reject response buffer sizes that are smaller than a message header or
larger than the maximum supported debug-dump response size before
allocating the response buffer.

Fixes: b87b30bbdfb2 ("firmware: drivers: imx: adds miscdev")
Reported-by: sashiko-bot <sashiko-bot@xxxxxxxxxx>
Closes: https://sashiko.dev/#/patchset/20260528091446.3331006-1-pankaj.gupta@xxxxxxx?part=1
Signed-off-by: Pankaj Gupta <pankaj.gupta@xxxxxxx>
---
 drivers/firmware/imx/se_ctrl.c | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/drivers/firmware/imx/se_ctrl.c b/drivers/firmware/imx/se_ctrl.c
index e42e5e23f48a..c9e270288c3b 100644
--- a/drivers/firmware/imx/se_ctrl.c
+++ b/drivers/firmware/imx/se_ctrl.c
@@ -32,6 +32,9 @@
 #include "ele_common.h"
 #include "se_ctrl.h"
 
+/* Maximum response buffer size in bytes for debug-dump replies. */
+#define MAX_ALLOWED_RX_MSG_SZ		ELE_DEBUG_DUMP_RSP_SZ
+
 #define MAX_SOC_INFO_DATA_SZ		256
 #define MBOX_TX_NAME			"tx"
 #define MBOX_RX_NAME			"rx"
@@ -542,6 +545,12 @@ static int se_ioctl_cmd_snd_rcv_rsp_handler(struct se_if_device_ctx *dev_ctx,
 		return err;
 	}
 
+	if (cmd_snd_rcv_rsp_info.rx_buf_sz < sizeof(struct se_msg_hdr) ||
+	    cmd_snd_rcv_rsp_info.rx_buf_sz > MAX_ALLOWED_RX_MSG_SZ) {
+		se_ioctl_cmd_snd_rcv_cleanup(dev_ctx, uarg, &cmd_snd_rcv_rsp_info);
+		return -EINVAL;
+	}
+
 	if (tx_msg->header.tag != priv->if_defs->cmd_tag) {
 		se_ioctl_cmd_snd_rcv_cleanup(dev_ctx, uarg, &cmd_snd_rcv_rsp_info);
 		return -EINVAL;
-- 
2.43.0