diff options
| author | Deepak Goyal <dgoyal@nvidia.com> | 2018-02-01 00:30:27 -0500 |
|---|---|---|
| committer | mobile promotions <svcmobile_promotions@nvidia.com> | 2018-02-06 13:01:48 -0500 |
| commit | 9402f4165b7a5568363f793e47bb893719639ca2 (patch) | |
| tree | 7f09cac7392366c77e5da83e3b4daabb6f023b83 | |
| parent | 0c0d6ba4880f841e26183c26637e54d7a7a9a4dc (diff) | |
gpu: nvgpu: fix out of bounds access
lsf_ucode_desc_v1 has more size than signature bin.
In memcpy(dest, src, size_to_copy) usage, "size_to_copy"
is more than "size of the src" which is causing out of bounds
access.
Bug 2051856
NVGPU-507
Change-Id: I0aad34df39f95f7e95ccb10539e1fae9f65361a8
Signed-off-by: Deepak Goyal <dgoyal@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/1650140
Reviewed-by: Automatic_Commit_Validation_User
GVS: Gerrit_Virtual_Submit
Reviewed-by: Terje Bergstrom <tbergstrom@nvidia.com>
Reviewed-by: mobile promotions <svcmobile_promotions@nvidia.com>
Tested-by: mobile promotions <svcmobile_promotions@nvidia.com>
| -rw-r--r-- | drivers/gpu/nvgpu/gm20b/acr_gm20b.c | 10 | ||||
| -rw-r--r-- | drivers/gpu/nvgpu/gp106/acr_gp106.c | 8 |
2 files changed, 11 insertions, 7 deletions
diff --git a/drivers/gpu/nvgpu/gm20b/acr_gm20b.c b/drivers/gpu/nvgpu/gm20b/acr_gm20b.c index 62d3a8fa..c57fba45 100644 --- a/drivers/gpu/nvgpu/gm20b/acr_gm20b.c +++ b/drivers/gpu/nvgpu/gm20b/acr_gm20b.c | |||
| @@ -1,5 +1,5 @@ | |||
| 1 | /* | 1 | /* |
| 2 | * Copyright (c) 2015-2017, NVIDIA CORPORATION. All rights reserved. | 2 | * Copyright (c) 2015-2018, NVIDIA CORPORATION. All rights reserved. |
| 3 | * | 3 | * |
| 4 | * Permission is hereby granted, free of charge, to any person obtaining a | 4 | * Permission is hereby granted, free of charge, to any person obtaining a |
| 5 | * copy of this software and associated documentation files (the "Software"), | 5 | * copy of this software and associated documentation files (the "Software"), |
| @@ -138,7 +138,8 @@ static int pmu_ucode_details(struct gk20a *g, struct flcn_ucode_img *p_img) | |||
| 138 | err = -ENOMEM; | 138 | err = -ENOMEM; |
| 139 | goto release_sig; | 139 | goto release_sig; |
| 140 | } | 140 | } |
| 141 | memcpy(lsf_desc, (void *)pmu_sig->data, sizeof(struct lsf_ucode_desc)); | 141 | memcpy(lsf_desc, (void *)pmu_sig->data, |
| 142 | min_t(size_t, sizeof(*lsf_desc), pmu_sig->size)); | ||
| 142 | lsf_desc->falcon_id = LSF_FALCON_ID_PMU; | 143 | lsf_desc->falcon_id = LSF_FALCON_ID_PMU; |
| 143 | 144 | ||
| 144 | p_img->desc = pmu->desc; | 145 | p_img->desc = pmu->desc; |
| @@ -177,7 +178,8 @@ static int fecs_ucode_details(struct gk20a *g, struct flcn_ucode_img *p_img) | |||
| 177 | err = -ENOMEM; | 178 | err = -ENOMEM; |
| 178 | goto rel_sig; | 179 | goto rel_sig; |
| 179 | } | 180 | } |
| 180 | memcpy(lsf_desc, (void *)fecs_sig->data, sizeof(struct lsf_ucode_desc)); | 181 | memcpy(lsf_desc, (void *)fecs_sig->data, |
| 182 | min_t(size_t, sizeof(*lsf_desc), fecs_sig->size)); | ||
| 181 | lsf_desc->falcon_id = LSF_FALCON_ID_FECS; | 183 | lsf_desc->falcon_id = LSF_FALCON_ID_FECS; |
| 182 | 184 | ||
| 183 | p_img->desc = nvgpu_kzalloc(g, sizeof(struct pmu_ucode_desc)); | 185 | p_img->desc = nvgpu_kzalloc(g, sizeof(struct pmu_ucode_desc)); |
| @@ -248,7 +250,7 @@ static int gpccs_ucode_details(struct gk20a *g, struct flcn_ucode_img *p_img) | |||
| 248 | goto rel_sig; | 250 | goto rel_sig; |
| 249 | } | 251 | } |
| 250 | memcpy(lsf_desc, (void *)gpccs_sig->data, | 252 | memcpy(lsf_desc, (void *)gpccs_sig->data, |
| 251 | sizeof(struct lsf_ucode_desc)); | 253 | min_t(size_t, sizeof(*lsf_desc), gpccs_sig->size)); |
| 252 | lsf_desc->falcon_id = LSF_FALCON_ID_GPCCS; | 254 | lsf_desc->falcon_id = LSF_FALCON_ID_GPCCS; |
| 253 | 255 | ||
| 254 | p_img->desc = nvgpu_kzalloc(g, sizeof(struct pmu_ucode_desc)); | 256 | p_img->desc = nvgpu_kzalloc(g, sizeof(struct pmu_ucode_desc)); |
diff --git a/drivers/gpu/nvgpu/gp106/acr_gp106.c b/drivers/gpu/nvgpu/gp106/acr_gp106.c index 31ddecf0..5ab8cfcc 100644 --- a/drivers/gpu/nvgpu/gp106/acr_gp106.c +++ b/drivers/gpu/nvgpu/gp106/acr_gp106.c | |||
| @@ -153,7 +153,8 @@ int pmu_ucode_details(struct gk20a *g, struct flcn_ucode_img_v1 *p_img) | |||
| 153 | err = -ENOMEM; | 153 | err = -ENOMEM; |
| 154 | goto release_sig; | 154 | goto release_sig; |
| 155 | } | 155 | } |
| 156 | memcpy(lsf_desc, (void *)pmu_sig->data, sizeof(struct lsf_ucode_desc_v1)); | 156 | memcpy(lsf_desc, (void *)pmu_sig->data, |
| 157 | min_t(size_t, sizeof(*lsf_desc), pmu_sig->size)); | ||
| 157 | lsf_desc->falcon_id = LSF_FALCON_ID_PMU; | 158 | lsf_desc->falcon_id = LSF_FALCON_ID_PMU; |
| 158 | 159 | ||
| 159 | p_img->desc = pmu->desc_v1; | 160 | p_img->desc = pmu->desc_v1; |
| @@ -218,7 +219,8 @@ int fecs_ucode_details(struct gk20a *g, struct flcn_ucode_img_v1 *p_img) | |||
| 218 | err = -ENOMEM; | 219 | err = -ENOMEM; |
| 219 | goto rel_sig; | 220 | goto rel_sig; |
| 220 | } | 221 | } |
| 221 | memcpy(lsf_desc, (void *)fecs_sig->data, sizeof(struct lsf_ucode_desc_v1)); | 222 | memcpy(lsf_desc, (void *)fecs_sig->data, |
| 223 | min_t(size_t, sizeof(*lsf_desc), fecs_sig->size)); | ||
| 222 | lsf_desc->falcon_id = LSF_FALCON_ID_FECS; | 224 | lsf_desc->falcon_id = LSF_FALCON_ID_FECS; |
| 223 | 225 | ||
| 224 | p_img->desc = nvgpu_kzalloc(g, sizeof(struct pmu_ucode_desc_v1)); | 226 | p_img->desc = nvgpu_kzalloc(g, sizeof(struct pmu_ucode_desc_v1)); |
| @@ -314,7 +316,7 @@ int gpccs_ucode_details(struct gk20a *g, struct flcn_ucode_img_v1 *p_img) | |||
| 314 | goto rel_sig; | 316 | goto rel_sig; |
| 315 | } | 317 | } |
| 316 | memcpy(lsf_desc, (void *)gpccs_sig->data, | 318 | memcpy(lsf_desc, (void *)gpccs_sig->data, |
| 317 | sizeof(struct lsf_ucode_desc_v1)); | 319 | min_t(size_t, sizeof(*lsf_desc), gpccs_sig->size)); |
| 318 | lsf_desc->falcon_id = LSF_FALCON_ID_GPCCS; | 320 | lsf_desc->falcon_id = LSF_FALCON_ID_GPCCS; |
| 319 | 321 | ||
| 320 | p_img->desc = nvgpu_kzalloc(g, sizeof(struct pmu_ucode_desc_v1)); | 322 | p_img->desc = nvgpu_kzalloc(g, sizeof(struct pmu_ucode_desc_v1)); |