gpu: nvgpu: fix use of untrusted scalar value

Kind value can be passed to API nvgpu_vm_map() from User
space (through IOCTL NVGPU_AS_IOCTL_MAP_BUFFER_EX)

But kind value is not checked for sane values
before storing it in bfr.kind_v
And then we use this kind value as array index
in gk20a_kind_is_supported() which is incorrect

Fix this by ensuring in nvgpu_vm_map() that the
kind value is well within range

Bug 200291879
Coverity id : 2567923
Coverity id : 2567924

Change-Id: Ic57395018727cbd2260c929581db256e427316c6
Signed-off-by: Deepak Nibade <dnibade@nvidia.com>
Reviewed-on: http://git-master/r/1496597
GVS: Gerrit_Virtual_Submit
Reviewed-by: svccoveritychecker <svccoveritychecker@nvidia.com>
Reviewed-by: Terje Bergstrom <tbergstrom@nvidia.com>

1 files changed, 7 insertions, 1 deletions

diff --git a/drivers/gpu/nvgpu/common/linux/vm.c b/drivers/gpu/nvgpu/common/linux/vm.c
index 4fa01855..f356fee2 100644
--- a/drivers/gpu/nvgpu/common/linux/vm.c
+++ b/drivers/gpu/nvgpu/common/linux/vm.c
@@ -25,6 +25,7 @@
 
 #include "gk20a/gk20a.h"
 #include "gk20a/mm_gk20a.h"
+#include "gk20a/kind_gk20a.h"
 
 #include "vm_priv.h"
 
@@ -237,7 +238,12 @@ u64 nvgpu_vm_map(struct vm_gk20a *vm,
                 goto clean_up;
         }
 
-        bfr.kind_v = kind;
+        if (kind >= NV_KIND_ATTR_SIZE) {
+                err = -EINVAL;
+                goto clean_up;
+        } else {
+                bfr.kind_v = kind;
+        }
         bfr.size = dmabuf->size;
         sgl = bfr.sgt->sgl;