From 9902a49b0bc43ceb64076bce78fe8189ccd24e17 Mon Sep 17 00:00:00 2001
From: Deepak Nibade <dnibade@nvidia.com>
Date: Mon, 5 Jun 2017 16:02:46 +0530
Subject: gpu: nvgpu: fix use of untrusted scalar value

Kind value can be passed to API nvgpu_vm_map() from User
space (through IOCTL NVGPU_AS_IOCTL_MAP_BUFFER_EX)

But kind value is not checked for sane values
before storing it in bfr.kind_v
And then we use this kind value as array index
in gk20a_kind_is_supported() which is incorrect

Fix this by ensuring in nvgpu_vm_map() that the
kind value is well within range

Bug 200291879
Coverity id : 2567923
Coverity id : 2567924

Change-Id: Ic57395018727cbd2260c929581db256e427316c6
Signed-off-by: Deepak Nibade <dnibade@nvidia.com>
Reviewed-on: http://git-master/r/1496597
GVS: Gerrit_Virtual_Submit
Reviewed-by: svccoveritychecker <svccoveritychecker@nvidia.com>
Reviewed-by: Terje Bergstrom <tbergstrom@nvidia.com>
---
 drivers/gpu/nvgpu/common/linux/vm.c  | 8 +++++++-
 drivers/gpu/nvgpu/gk20a/kind_gk20a.c | 4 ++--
 drivers/gpu/nvgpu/gk20a/kind_gk20a.h | 1 +
 3 files changed, 10 insertions(+), 3 deletions(-)

diff --git a/drivers/gpu/nvgpu/common/linux/vm.c b/drivers/gpu/nvgpu/common/linux/vm.c
index 4fa01855..f356fee2 100644
--- a/drivers/gpu/nvgpu/common/linux/vm.c
+++ b/drivers/gpu/nvgpu/common/linux/vm.c
@@ -25,6 +25,7 @@
 
 #include "gk20a/gk20a.h"
 #include "gk20a/mm_gk20a.h"
+#include "gk20a/kind_gk20a.h"
 
 #include "vm_priv.h"
 
@@ -237,7 +238,12 @@ u64 nvgpu_vm_map(struct vm_gk20a *vm,
 		goto clean_up;
 	}
 
-	bfr.kind_v = kind;
+	if (kind >= NV_KIND_ATTR_SIZE) {
+		err = -EINVAL;
+		goto clean_up;
+	} else {
+		bfr.kind_v = kind;
+	}
 	bfr.size = dmabuf->size;
 	sgl = bfr.sgt->sgl;
 
diff --git a/drivers/gpu/nvgpu/gk20a/kind_gk20a.c b/drivers/gpu/nvgpu/gk20a/kind_gk20a.c
index 4e9ebe4b..57cf028b 100644
--- a/drivers/gpu/nvgpu/gk20a/kind_gk20a.c
+++ b/drivers/gpu/nvgpu/gk20a/kind_gk20a.c
@@ -408,11 +408,11 @@ void gk20a_init_uncompressed_kind_map(void)
 		gmmu_pte_kind_x8c24_v();
 }
 
-u16 gk20a_kind_attr[256];
+u16 gk20a_kind_attr[NV_KIND_ATTR_SIZE];
 void gk20a_init_kind_attr(void)
 {
 	u16 k;
-	for (k = 0; k < 256; k++) {
+	for (k = 0; k < NV_KIND_ATTR_SIZE; k++) {
 		gk20a_kind_attr[k] = 0;
 		if (gk20a_kind_supported((u8)k))
 			gk20a_kind_attr[k] |= GK20A_KIND_ATTR_SUPPORTED;
diff --git a/drivers/gpu/nvgpu/gk20a/kind_gk20a.h b/drivers/gpu/nvgpu/gk20a/kind_gk20a.h
index 9dec84a5..28d5802c 100644
--- a/drivers/gpu/nvgpu/gk20a/kind_gk20a.h
+++ b/drivers/gpu/nvgpu/gk20a/kind_gk20a.h
@@ -27,6 +27,7 @@ void gk20a_init_uncompressed_kind_map(void);
 void gk20a_init_kind_attr(void);
 
 extern u16 gk20a_kind_attr[];
+#define NV_KIND_ATTR_SIZE		256
 #define NV_KIND_DEFAULT		     -1
 
 #define GK20A_KIND_ATTR_SUPPORTED    BIT(0)
-- 
cgit v1.2.2