tegra: nvmap: Fix SAST defects in nvmap_ioctl

Add call to check_add_overflow to fix CERT INT 30-C and INT 8-C defects.

Add boundary check for offset value to fix default coverity
TAINTED_SCALAR and MISRA 4.14 defects. Offset value is being passed on
and eventually used as a loop boundary. So, a check at the beginning is
required.

Total Defects Fixed: 4 Defects

Bug 4479044

Change-Id: Ie687c5d7d84cd3f7897d5e6e04ab90d0ed2e1619
Signed-off-by: N V S Abhishek <nabhishek@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/c/linux-nv-oot/+/3263923
Reviewed-by: Ketan Patil <ketanp@nvidia.com>
Reviewed-by: Sachin Nikam <snikam@nvidia.com>
Reviewed-by: svcacv <svcacv@nvidia.com>
GVS: buildbot_gerritrpt <buildbot_gerritrpt@nvidia.com>

drivers/video/tegra/nvmap/nvmap_ioctl.c

@@ -1261,6 +1261,7 @@ int nvmap_ioctl_get_fd_from_list(struct file *filp, void __user *arg)
 	int err = 0;
 	int fd = -1;
 	u32 *hndls;
+	size_t result;
 
 	if (!client)
 		return -ENODEV;
@@ -1269,7 +1270,8 @@ int nvmap_ioctl_get_fd_from_list(struct file *filp, void __user *arg)
 		return -EFAULT;
 
 	if (!op.handles || !op.num_handles
-		 || !op.size || op.num_handles > U32_MAX / sizeof(u32))
+		 || !op.size || op.num_handles > U32_MAX / sizeof(u32)
+		 || op.offset > (U64_MAX - op.size))
 		return -EINVAL;
 
 	hrange.offs = op.offset;
@@ -1312,7 +1314,15 @@ int nvmap_ioctl_get_fd_from_list(struct file *filp, void __user *arg)
 			err = -EINVAL;
 			goto free_mem;
 		}
-		tot_hs_size += hs[i]->size;
+
+		if (check_add_overflow(tot_hs_size, hs[i]->size, &result)) {
+			while (i >= 0)
+				nvmap_handle_put(hs[i--]);
+			err = -EOVERFLOW;
+			goto free_mem;
+		}
+
+		tot_hs_size = result;
 	}
 
 	/* Add check for sizes of all the handles should be > offs and size */