nvsciipc: set nvsciipc max endpoint count

validate nvsciipc max endpoint count. validate set_db entry pointer. JIRA NVIPC-3506 Change-Id: Id29531af24367de952b2dccebe23515ad52bfd33 Signed-off-by: Joshua Cha <joshuac@nvidia.com> Reviewed-on: https://git-master.nvidia.com/r/c/linux-nv-oot/+/3322061 Reviewed-by: Suneel Kumar Pemmineti <spemmineti@nvidia.com> Reviewed-by: Simon Je <sje@nvidia.com> GVS: buildbot_gerritrpt <buildbot_gerritrpt@nvidia.com>
2025-12-22 09:11:26 +03:00 · 2025-03-19 10:23:55 +09:00
parent bb01f4bcf7
commit 915ce6717f
2 changed files with 17 additions and 2 deletions
--- a/drivers/misc/nvsciipc/nvsciipc.c
+++ b/drivers/misc/nvsciipc/nvsciipc.c
@@ -613,8 +613,8 @@ static int nvsciipc_ioctl_set_db(struct nvsciipc *ctx, unsigned int cmd,
 		return -EFAULT;
 	}
-	if (user_db.num_eps <= 0) {
+	if ((user_db.num_eps <= 0) || (user_db.num_eps > NVSCIIPC_MAX_EP_COUNT)) {
-		ERR("invalid value passed for num_eps\n");
+		ERR("invalid value passed for num_eps: %d\n", user_db.num_eps);
 		return -EINVAL;
 	}
@@ -630,6 +630,13 @@ static int nvsciipc_ioctl_set_db(struct nvsciipc *ctx, unsigned int cmd,
 		goto ptr_error;
 	}
 	if (!access_ok(user_db.entry, ctx->num_eps *
 		sizeof(struct nvsciipc_config_entry *))) {
 		ERR("invalid user-space pointer: %p\n", user_db.entry);
 		ret = -EFAULT;
 		goto ptr_error;
 	}
 	ret = copy_from_user(entry_ptr, (void __user *)user_db.entry,
 			ctx->num_eps * sizeof(struct nvsciipc_config_entry *));
 	if (ret < 0) {
--- a/include/uapi/linux/nvsciipc_ioctl.h
+++ b/include/uapi/linux/nvsciipc_ioctl.h
@@ -6,6 +6,14 @@
 #include <linux/ioctl.h>
 /*
 * inter-thread: 2000
 * inter-process: 16384
 * inter-vm: 512
 * inter-chip-pcie: 32
 */
 #define NVSCIIPC_MAX_EP_COUNT 18928
 #define NVSCIIPC_MAX_EP_NAME	64U
 #define NVSCIIPC_MAX_RDMA_NAME	64U
 #define NVSCIIPC_MAX_IP_NAME	16U