diff options
| author | Deepak Nibade <dnibade@nvidia.com> | 2017-06-05 06:32:46 -0400 |
|---|---|---|
| committer | mobile promotions <svcmobile_promotions@nvidia.com> | 2017-06-06 11:13:43 -0400 |
| commit | 9902a49b0bc43ceb64076bce78fe8189ccd24e17 (patch) | |
| tree | 6d6df6130758443d2c1fb06443bfba1f9d218690 /drivers | |
| parent | 793bc318c558295f8c2a0a2af3e7729dcece6208 (diff) | |
gpu: nvgpu: fix use of untrusted scalar value
Kind value can be passed to API nvgpu_vm_map() from User
space (through IOCTL NVGPU_AS_IOCTL_MAP_BUFFER_EX)
But kind value is not checked for sane values
before storing it in bfr.kind_v
And then we use this kind value as array index
in gk20a_kind_is_supported() which is incorrect
Fix this by ensuring in nvgpu_vm_map() that the
kind value is well within range
Bug 200291879
Coverity id : 2567923
Coverity id : 2567924
Change-Id: Ic57395018727cbd2260c929581db256e427316c6
Signed-off-by: Deepak Nibade <dnibade@nvidia.com>
Reviewed-on: http://git-master/r/1496597
GVS: Gerrit_Virtual_Submit
Reviewed-by: svccoveritychecker <svccoveritychecker@nvidia.com>
Reviewed-by: Terje Bergstrom <tbergstrom@nvidia.com>
Diffstat (limited to 'drivers')
| -rw-r--r-- | drivers/gpu/nvgpu/common/linux/vm.c | 8 | ||||
| -rw-r--r-- | drivers/gpu/nvgpu/gk20a/kind_gk20a.c | 4 | ||||
| -rw-r--r-- | drivers/gpu/nvgpu/gk20a/kind_gk20a.h | 1 |
3 files changed, 10 insertions, 3 deletions
diff --git a/drivers/gpu/nvgpu/common/linux/vm.c b/drivers/gpu/nvgpu/common/linux/vm.c index 4fa01855..f356fee2 100644 --- a/drivers/gpu/nvgpu/common/linux/vm.c +++ b/drivers/gpu/nvgpu/common/linux/vm.c | |||
| @@ -25,6 +25,7 @@ | |||
| 25 | 25 | ||
| 26 | #include "gk20a/gk20a.h" | 26 | #include "gk20a/gk20a.h" |
| 27 | #include "gk20a/mm_gk20a.h" | 27 | #include "gk20a/mm_gk20a.h" |
| 28 | #include "gk20a/kind_gk20a.h" | ||
| 28 | 29 | ||
| 29 | #include "vm_priv.h" | 30 | #include "vm_priv.h" |
| 30 | 31 | ||
| @@ -237,7 +238,12 @@ u64 nvgpu_vm_map(struct vm_gk20a *vm, | |||
| 237 | goto clean_up; | 238 | goto clean_up; |
| 238 | } | 239 | } |
| 239 | 240 | ||
| 240 | bfr.kind_v = kind; | 241 | if (kind >= NV_KIND_ATTR_SIZE) { |
| 242 | err = -EINVAL; | ||
| 243 | goto clean_up; | ||
| 244 | } else { | ||
| 245 | bfr.kind_v = kind; | ||
| 246 | } | ||
| 241 | bfr.size = dmabuf->size; | 247 | bfr.size = dmabuf->size; |
| 242 | sgl = bfr.sgt->sgl; | 248 | sgl = bfr.sgt->sgl; |
| 243 | 249 | ||
diff --git a/drivers/gpu/nvgpu/gk20a/kind_gk20a.c b/drivers/gpu/nvgpu/gk20a/kind_gk20a.c index 4e9ebe4b..57cf028b 100644 --- a/drivers/gpu/nvgpu/gk20a/kind_gk20a.c +++ b/drivers/gpu/nvgpu/gk20a/kind_gk20a.c | |||
| @@ -408,11 +408,11 @@ void gk20a_init_uncompressed_kind_map(void) | |||
| 408 | gmmu_pte_kind_x8c24_v(); | 408 | gmmu_pte_kind_x8c24_v(); |
| 409 | } | 409 | } |
| 410 | 410 | ||
| 411 | u16 gk20a_kind_attr[256]; | 411 | u16 gk20a_kind_attr[NV_KIND_ATTR_SIZE]; |
| 412 | void gk20a_init_kind_attr(void) | 412 | void gk20a_init_kind_attr(void) |
| 413 | { | 413 | { |
| 414 | u16 k; | 414 | u16 k; |
| 415 | for (k = 0; k < 256; k++) { | 415 | for (k = 0; k < NV_KIND_ATTR_SIZE; k++) { |
| 416 | gk20a_kind_attr[k] = 0; | 416 | gk20a_kind_attr[k] = 0; |
| 417 | if (gk20a_kind_supported((u8)k)) | 417 | if (gk20a_kind_supported((u8)k)) |
| 418 | gk20a_kind_attr[k] |= GK20A_KIND_ATTR_SUPPORTED; | 418 | gk20a_kind_attr[k] |= GK20A_KIND_ATTR_SUPPORTED; |
diff --git a/drivers/gpu/nvgpu/gk20a/kind_gk20a.h b/drivers/gpu/nvgpu/gk20a/kind_gk20a.h index 9dec84a5..28d5802c 100644 --- a/drivers/gpu/nvgpu/gk20a/kind_gk20a.h +++ b/drivers/gpu/nvgpu/gk20a/kind_gk20a.h | |||
| @@ -27,6 +27,7 @@ void gk20a_init_uncompressed_kind_map(void); | |||
| 27 | void gk20a_init_kind_attr(void); | 27 | void gk20a_init_kind_attr(void); |
| 28 | 28 | ||
| 29 | extern u16 gk20a_kind_attr[]; | 29 | extern u16 gk20a_kind_attr[]; |
| 30 | #define NV_KIND_ATTR_SIZE 256 | ||
| 30 | #define NV_KIND_DEFAULT -1 | 31 | #define NV_KIND_DEFAULT -1 |
| 31 | 32 | ||
| 32 | #define GK20A_KIND_ATTR_SUPPORTED BIT(0) | 33 | #define GK20A_KIND_ATTR_SUPPORTED BIT(0) |