From 120a653dd1e00abc75de3e36b30c9a97f37fcba1 Mon Sep 17 00:00:00 2001
From: Sagar Kamble <skamble@nvidia.com>
Date: Thu, 7 Apr 2022 15:48:37 +0530
Subject: [PATCH] gpu: nvgpu: fix untrusted loop bound in clk_set_info ioctl

In gk20a_ctrl_dev_ioctl clk_set_info: An unscrutinized value num_entries
is used as a loop bound. An attacker could control the number of times
the loop iterates.

Loop iterator is signed int which can lead to unpredictable results,
Hence change it to u32. And sanitize the num_entries parameter.

CID 1993996
Bug 3460991

Change-Id: Ib644cf19f016ab80a3f2d66f156ca863f8e138e1
Signed-off-by: Sagar Kamble <skamble@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/c/linux-nvgpu/+/2693942
Reviewed-by: Ramesh Mylavarapu <rmylavarapu@nvidia.com>
Reviewed-by: Sachin Nikam <snikam@nvidia.com>
Reviewed-by: svc-mobile-coverity <svc-mobile-coverity@nvidia.com>
GVS: Gerrit_Virtual_Submit
---
 drivers/gpu/nvgpu/os/linux/ioctl_ctrl.c | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/drivers/gpu/nvgpu/os/linux/ioctl_ctrl.c b/drivers/gpu/nvgpu/os/linux/ioctl_ctrl.c
index 88033547f..38b248236 100644
--- a/drivers/gpu/nvgpu/os/linux/ioctl_ctrl.c
+++ b/drivers/gpu/nvgpu/os/linux/ioctl_ctrl.c
@@ -1490,8 +1490,9 @@ static int nvgpu_gpu_clk_set_info(struct gk20a *g,
 
 	int fd;
 	u32 clk_domains = 0;
+	u32 num_domains;
 	u16 freq_mhz;
-	int i;
+	u32 i;
 	int ret;
 
 	nvgpu_log_fn(g, " ");
@@ -1503,6 +1504,13 @@ static int nvgpu_gpu_clk_set_info(struct gk20a *g,
 	if (!clk_domains)
 		return -EINVAL;
 
+	num_domains = hweight_long(clk_domains);
+
+	if ((args->num_entries == 0) || (args->num_entries > num_domains)) {
+		nvgpu_err(g, "invalid num_entries %u", args->num_entries);
+		return -EINVAL;
+	}
+
 	entry = (struct nvgpu_gpu_clk_info __user *)
 			(uintptr_t)args->clk_info_entries;