From 9568aaa35d559a0667671fbf3d70204bf606a553 Mon Sep 17 00:00:00 2001 From: N V S Abhishek Date: Sun, 8 Dec 2024 13:12:35 +0000 Subject: [PATCH] tegra: nvmap: Fix SAST defects in nvmap_ioctl Add call to check_add_overflow to fix CERT INT 30-C and INT 8-C defects. Add boundary check for offset value to fix default coverity TAINTED_SCALAR and MISRA 4.14 defects. Offset value is being passed on and eventually used as a loop boundary. So, a check at the beginning is required. Total Defects Fixed: 4 Defects Bug 4479044 Change-Id: Ie687c5d7d84cd3f7897d5e6e04ab90d0ed2e1619 Signed-off-by: N V S Abhishek Reviewed-on: https://git-master.nvidia.com/r/c/linux-nv-oot/+/3263923 Reviewed-by: Ketan Patil Reviewed-by: Sachin Nikam Reviewed-by: svcacv GVS: buildbot_gerritrpt --- drivers/video/tegra/nvmap/nvmap_ioctl.c | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/drivers/video/tegra/nvmap/nvmap_ioctl.c b/drivers/video/tegra/nvmap/nvmap_ioctl.c index ed176edd..722e4372 100644 --- a/drivers/video/tegra/nvmap/nvmap_ioctl.c +++ b/drivers/video/tegra/nvmap/nvmap_ioctl.c @@ -1261,6 +1261,7 @@ int nvmap_ioctl_get_fd_from_list(struct file *filp, void __user *arg) int err = 0; int fd = -1; u32 *hndls; + size_t result; if (!client) return -ENODEV; @@ -1269,7 +1270,8 @@ int nvmap_ioctl_get_fd_from_list(struct file *filp, void __user *arg) return -EFAULT; if (!op.handles || !op.num_handles - || !op.size || op.num_handles > U32_MAX / sizeof(u32)) + || !op.size || op.num_handles > U32_MAX / sizeof(u32) + || op.offset > (U64_MAX - op.size)) return -EINVAL; hrange.offs = op.offset; @@ -1312,7 +1314,15 @@ int nvmap_ioctl_get_fd_from_list(struct file *filp, void __user *arg) err = -EINVAL; goto free_mem; } - tot_hs_size += hs[i]->size; + + if (check_add_overflow(tot_hs_size, hs[i]->size, &result)) { + while (i >= 0) + nvmap_handle_put(hs[i--]); + err = -EOVERFLOW; + goto free_mem; + } + + tot_hs_size = result; } /* Add check for sizes of all the handles should be > offs and size */