gpu: nvgpu: fix use of untrusted scalar value

Kind value can be passed to API nvgpu_vm_map() from User space (through IOCTL NVGPU_AS_IOCTL_MAP_BUFFER_EX) But kind value is not checked for sane values before storing it in bfr.kind_v And then we use this kind value as array index in gk20a_kind_is_supported() which is incorrect Fix this by ensuring in nvgpu_vm_map() that the kind value is well within range Bug 200291879 Coverity id : 2567923 Coverity id : 2567924 Change-Id: Ic57395018727cbd2260c929581db256e427316c6 Signed-off-by: Deepak Nibade <dnibade@nvidia.com> Reviewed-on: http://git-master/r/1496597 GVS: Gerrit_Virtual_Submit Reviewed-by: svccoveritychecker <svccoveritychecker@nvidia.com> Reviewed-by: Terje Bergstrom <tbergstrom@nvidia.com>
2025-12-22 17:36:20 +03:00 · 2017-06-05 16:02:46 +05:30
parent 793bc318c5
commit 9902a49b0b
3 changed files with 10 additions and 3 deletions
--- a/drivers/gpu/nvgpu/common/linux/vm.c
+++ b/drivers/gpu/nvgpu/common/linux/vm.c
@@ -25,6 +25,7 @@

 #include "gk20a/gk20a.h"
 #include "gk20a/mm_gk20a.h"
+#include "gk20a/kind_gk20a.h"

 #include "vm_priv.h"

@@ -237,7 +238,12 @@ u64 nvgpu_vm_map(struct vm_gk20a *vm,
 		goto clean_up;
 	}

-	bfr.kind_v = kind;
+	if (kind >= NV_KIND_ATTR_SIZE) {
+		err = -EINVAL;
+		goto clean_up;
+	} else {
+		bfr.kind_v = kind;
+	}
 	bfr.size = dmabuf->size;
 	sgl = bfr.sgt->sgl;