From: Joel Fernandes Date: Mon, 26 Jan 2026 20:23:02 +0000 (-0500) Subject: gpu: nova-core: use checked arithmetic in Booter signature parsing X-Git-Tag: v7.1-rc1~167^2~13^2~104 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=4f2609685418cc995ff6a2d558ed62214dec75dc;p=thirdparty%2Flinux.git gpu: nova-core: use checked arithmetic in Booter signature parsing Use checked_add() when computing signature offsets from firmware- provided values in signatures_iter(). Without checked arithmetic, overflow could wrap to a small plausible offset that points to entirely wrong data. Reviewed-by: Zhi Wang Signed-off-by: Joel Fernandes Reviewed-by: Gary Guo Link: https://patch.msgid.link/20260126202305.2526618-3-joelagnelf@nvidia.com [acourbot@nvidia.com: remove obvious computation comments.] Signed-off-by: Alexandre Courbot --- diff --git a/drivers/gpu/nova-core/firmware/booter.rs b/drivers/gpu/nova-core/firmware/booter.rs index 86556cee8e67b..21cd437a3c954 100644 --- a/drivers/gpu/nova-core/firmware/booter.rs +++ b/drivers/gpu/nova-core/firmware/booter.rs @@ -119,14 +119,21 @@ impl<'a> HsFirmwareV2<'a> { Some(sig_size) => { let patch_sig = frombytes_at::(self.fw, self.hdr.patch_sig_offset.into_safe_cast())?; - let signatures_start = usize::from_safe_cast(self.hdr.sig_prod_offset + patch_sig); + + let signatures_start = self + .hdr + .sig_prod_offset + .checked_add(patch_sig) + .map(usize::from_safe_cast) + .ok_or(EINVAL)?; + + let signatures_end = signatures_start + .checked_add(usize::from_safe_cast(self.hdr.sig_prod_size)) + .ok_or(EINVAL)?; self.fw // Get signatures range. - .get( - signatures_start - ..signatures_start + usize::from_safe_cast(self.hdr.sig_prod_size), - ) + .get(signatures_start..signatures_end) .ok_or(EINVAL)? .chunks_exact(sig_size.into_safe_cast()) }