gpu: nvgpu: fix untrusted loop bound in clk_set_info ioctl

In gk20a_ctrl_dev_ioctl clk_set_info: An unscrutinized value num_entries is used as a loop bound. An attacker could control the number of times the loop iterates. Loop iterator is signed int which can lead to unpredictable results, Hence change it to u32. And sanitize the num_entries parameter. CID 1993996 Bug 3460991 Change-Id: Ib644cf19f016ab80a3f2d66f156ca863f8e138e1 Signed-off-by: Sagar Kamble <skamble@nvidia.com> Reviewed-on: https://git-master.nvidia.com/r/c/linux-nvgpu/+/2693942 Reviewed-by: Ramesh Mylavarapu <rmylavarapu@nvidia.com> Reviewed-by: Sachin Nikam <snikam@nvidia.com> Reviewed-by: svc-mobile-coverity <svc-mobile-coverity@nvidia.com> GVS: Gerrit_Virtual_Submit
2025-12-22 17:36:20 +03:00 · 2022-04-07 15:48:37 +05:30
parent dae284c74b
commit 120a653dd1
1 changed files with 9 additions and 1 deletions
--- a/drivers/gpu/nvgpu/os/linux/ioctl_ctrl.c
+++ b/drivers/gpu/nvgpu/os/linux/ioctl_ctrl.c
@@ -1490,8 +1490,9 @@ static int nvgpu_gpu_clk_set_info(struct gk20a *g,

 	int fd;
 	u32 clk_domains = 0;
+	u32 num_domains;
 	u16 freq_mhz;
-	int i;
+	u32 i;
 	int ret;

 	nvgpu_log_fn(g, " ");
@@ -1503,6 +1504,13 @@ static int nvgpu_gpu_clk_set_info(struct gk20a *g,
 	if (!clk_domains)
 		return -EINVAL;

+	num_domains = hweight_long(clk_domains);
+
+	if ((args->num_entries == 0) || (args->num_entries > num_domains)) {
+		nvgpu_err(g, "invalid num_entries %u", args->num_entries);
+		return -EINVAL;
+	}
+
 	entry = (struct nvgpu_gpu_clk_info __user *)
 			(uintptr_t)args->clk_info_entries;