gpu: nova-core: use checked arithmetic in FWSEC firmware parsing

author Joel Fernandes <joelagnelf@nvidia.com>

Mon, 26 Jan 2026 20:23:01 +0000 (15:23 -0500)

committer Alexandre Courbot <acourbot@nvidia.com>

Tue, 24 Feb 2026 23:16:55 +0000 (08:16 +0900)
author Joel Fernandes <joelagnelf@nvidia.com>
Mon, 26 Jan 2026 20:23:01 +0000 (15:23 -0500)
committer Alexandre Courbot <acourbot@nvidia.com>
Tue, 24 Feb 2026 23:16:55 +0000 (08:16 +0900)
diff --git a/drivers/gpu/nova-core/firmware/fwsec.rs b/drivers/gpu/nova-core/firmware/fwsec.rs

index bfb7b06b13d150b9eedf20afaf4322819b59ec49..df3d8de14ca1478c26876de75813f9862327a99d 100644 (file)
--- a/drivers/gpu/nova-core/firmware/fwsec.rs
+++ b/drivers/gpu/nova-core/firmware/fwsec.rs
@@ -45,10 +45,7 @@ use crate::{
          Signed,
          Unsigned, //
      },
-    num::{
-        FromSafeCast,
-        IntoSafeCast, //
-    },
+    num::FromSafeCast,
      vbios::Vbios,
  };
  
@@ -266,7 +263,12 @@ impl FirmwareDmaObject<FwsecFirmware, Unsigned> {
          let ucode = bios.fwsec_image().ucode(&desc)?;
          let mut dma_object = DmaObject::from_data(dev, ucode)?;
  
-        let hdr_offset = usize::from_safe_cast(desc.imem_load_size() + desc.interface_offset());
+        let hdr_offset = desc
+            .imem_load_size()
+            .checked_add(desc.interface_offset())
+            .map(usize::from_safe_cast)
+            .ok_or(EINVAL)?;
+
          // SAFETY: we have exclusive access to `dma_object`.
          let hdr: &FalconAppifHdrV1 = unsafe { transmute(&dma_object, hdr_offset) }?;
  
@@ -276,26 +278,29 @@ impl FirmwareDmaObject<FwsecFirmware, Unsigned> {
  
          // Find the DMEM mapper section in the firmware.
          for i in 0..usize::from(hdr.entry_count) {
+            // CALC: hdr_offset + header_size + i * entry_size.
+            let entry_offset = hdr_offset
+                .checked_add(usize::from(hdr.header_size))
+                .and_then(|o| o.checked_add(i.checked_mul(usize::from(hdr.entry_size))?))
+                .ok_or(EINVAL)?;
+
              // SAFETY: we have exclusive access to `dma_object`.
-            let app: &FalconAppifV1 = unsafe {
-                transmute(
-                    &dma_object,
-                    hdr_offset + usize::from(hdr.header_size) + i * usize::from(hdr.entry_size),
-                )
-            }?;
+            let app: &FalconAppifV1 = unsafe { transmute(&dma_object, entry_offset) }?;
  
              if app.id != NVFW_FALCON_APPIF_ID_DMEMMAPPER {
                  continue;
              }
              let dmem_base = app.dmem_base;
  
-            // SAFETY: we have exclusive access to `dma_object`.
-            let dmem_mapper: &mut FalconAppifDmemmapperV3 = unsafe {
-                transmute_mut(
-                    &mut dma_object,
-                    (desc.imem_load_size() + dmem_base).into_safe_cast(),
-                )
-            }?;
+            let dmem_mapper_offset = desc
+                .imem_load_size()
+                .checked_add(dmem_base)
+                .map(usize::from_safe_cast)
+                .ok_or(EINVAL)?;
+
+            let dmem_mapper: &mut FalconAppifDmemmapperV3 =
+                // SAFETY: we have exclusive access to `dma_object`.
+                unsafe { transmute_mut(&mut dma_object, dmem_mapper_offset) }?;
  
              dmem_mapper.init_cmd = match cmd {
                  FwsecCommand::Frts { .. } => NVFW_FALCON_APPIF_DMEMMAPPER_CMD_FRTS,
@@ -303,13 +308,15 @@ impl FirmwareDmaObject<FwsecFirmware, Unsigned> {
              };
              let cmd_in_buffer_offset = dmem_mapper.cmd_in_buffer_offset;
  
-            // SAFETY: we have exclusive access to `dma_object`.
-            let frts_cmd: &mut FrtsCmd = unsafe {
-                transmute_mut(
-                    &mut dma_object,
-                    (desc.imem_load_size() + cmd_in_buffer_offset).into_safe_cast(),
-                )
-            }?;
+            let frts_cmd_offset = desc
+                .imem_load_size()
+                .checked_add(cmd_in_buffer_offset)
+                .map(usize::from_safe_cast)
+                .ok_or(EINVAL)?;
+
+            let frts_cmd: &mut FrtsCmd =
+                // SAFETY: we have exclusive access to `dma_object`.
+                unsafe { transmute_mut(&mut dma_object, frts_cmd_offset) }?;
  
              frts_cmd.read_vbios = ReadVbios {
                  ver: 1,
@@ -355,8 +362,11 @@ impl FwsecFirmware {
          // Patch signature if needed.
          let desc = bios.fwsec_image().header()?;
          let ucode_signed = if desc.signature_count() != 0 {
-            let sig_base_img =
-                usize::from_safe_cast(desc.imem_load_size() + desc.pkc_data_offset());
+            let sig_base_img = desc
+                .imem_load_size()
+                .checked_add(desc.pkc_data_offset())
+                .map(usize::from_safe_cast)
+                .ok_or(EINVAL)?;
              let desc_sig_versions = u32::from(desc.signature_versions());
              let reg_fuse_version =
                  falcon.signature_reg_fuse_version(bar, desc.engine_id_mask(), desc.ucode_id())?;
author	Joel Fernandes <joelagnelf@nvidia.com>
	Mon, 26 Jan 2026 20:23:01 +0000 (15:23 -0500)
committer	Alexandre Courbot <acourbot@nvidia.com>
	Tue, 24 Feb 2026 23:16:55 +0000 (08:16 +0900)