| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20260126202305.2526618-3-joelagnelf@nvidia.com>
Date: Mon, 26 Jan 2026 15:23:02 -0500
From: Joel Fernandes <joelagnelf@...dia.com>
To: linux-kernel@...r.kernel.org
Cc: Paul Walmsley <pjw@...nel.org>,
Palmer Dabbelt <palmer@...belt.com>,
Albert Ou <aou@...s.berkeley.edu>,
Alexandre Ghiti <alex@...ti.fr>,
Miguel Ojeda <ojeda@...nel.org>,
Boqun Feng <boqun.feng@...il.com>,
Gary Guo <gary@...yguo.net>,
Björn Roy Baron <bjorn3_gh@...tonmail.com>,
Benno Lossin <lossin@...nel.org>,
Andreas Hindborg <a.hindborg@...nel.org>,
Alice Ryhl <aliceryhl@...gle.com>,
Trevor Gross <tmgross@...ch.edu>,
Danilo Krummrich <dakr@...nel.org>,
Alexandre Courbot <acourbot@...dia.com>,
John Hubbard <jhubbard@...dia.com>,
Alistair Popple <apopple@...dia.com>,
Timur Tabi <ttabi@...dia.com>,
Edwin Peer <epeer@...dia.com>,
Zhi Wang <zhiw@...dia.com>,
David Airlie <airlied@...il.com>,
Simona Vetter <simona@...ll.ch>,
Bjorn Helgaas <bhelgaas@...gle.com>,
Alex Gaynor <alex.gaynor@...il.com>,
Dirk Behme <dirk.behme@...il.com>,
nouveau@...ts.freedesktop.org,
dri-devel@...ts.freedesktop.org,
rust-for-linux@...r.kernel.org,
linux-riscv@...ts.infradead.org,
Joel Fernandes <joelagnelf@...dia.com>
Subject: [PATCH v2 2/5] gpu: nova-core: use checked arithmetic in Booter signature parsing
Use checked_add() when computing signature offsets from firmware-
provided values in signatures_iter().
Without checked arithmetic, overflow could wrap to a small plausible
offset that points to entirely wrong data.
Reviewed-by: Zhi Wang <zhiw@...dia.com>
Signed-off-by: Joel Fernandes <joelagnelf@...dia.com>
---
drivers/gpu/nova-core/firmware/booter.rs | 19 ++++++++++++++-----
1 file changed, 14 insertions(+), 5 deletions(-)
diff --git a/drivers/gpu/nova-core/firmware/booter.rs b/drivers/gpu/nova-core/firmware/booter.rs
index 86556cee8e67..40ac7e66d228 100644
--- a/drivers/gpu/nova-core/firmware/booter.rs
+++ b/drivers/gpu/nova-core/firmware/booter.rs
@@ -119,14 +119,23 @@ fn signatures_iter(&'a self) -> Result<impl Iterator<Item = BooterSignature<'a>>
Some(sig_size) => {
let patch_sig =
frombytes_at::<u32>(self.fw, self.hdr.patch_sig_offset.into_safe_cast())?;
- let signatures_start = usize::from_safe_cast(self.hdr.sig_prod_offset + patch_sig);
+
+ // Compute signatures_start = sig_prod_offset + patch_sig.
+ let signatures_start = self
+ .hdr
+ .sig_prod_offset
+ .checked_add(patch_sig)
+ .map(usize::from_safe_cast)
+ .ok_or(EINVAL)?;
+
+ // Compute signatures_end = signatures_start + sig_prod_size.
+ let signatures_end = signatures_start
+ .checked_add(usize::from_safe_cast(self.hdr.sig_prod_size))
+ .ok_or(EINVAL)?;
self.fw
// Get signatures range.
- .get(
- signatures_start
- ..signatures_start + usize::from_safe_cast(self.hdr.sig_prod_size),
- )
+ .get(signatures_start..signatures_end)
.ok_or(EINVAL)?
.chunks_exact(sig_size.into_safe_cast())
}
--
2.34.1
Powered by blists - more mailing lists