From 9902a49b0bc43ceb64076bce78fe8189ccd24e17 Mon Sep 17 00:00:00 2001
From: Deepak Nibade <dnibade@nvidia.com>
Date: Mon, 5 Jun 2017 16:02:46 +0530
Subject: gpu: nvgpu: fix use of untrusted scalar value

Kind value can be passed to API nvgpu_vm_map() from User
space (through IOCTL NVGPU_AS_IOCTL_MAP_BUFFER_EX)

But kind value is not checked for sane values
before storing it in bfr.kind_v
And then we use this kind value as array index
in gk20a_kind_is_supported() which is incorrect

Fix this by ensuring in nvgpu_vm_map() that the
kind value is well within range

Bug 200291879
Coverity id : 2567923
Coverity id : 2567924

Change-Id: Ic57395018727cbd2260c929581db256e427316c6
Signed-off-by: Deepak Nibade <dnibade@nvidia.com>
Reviewed-on: http://git-master/r/1496597
GVS: Gerrit_Virtual_Submit
Reviewed-by: svccoveritychecker <svccoveritychecker@nvidia.com>
Reviewed-by: Terje Bergstrom <tbergstrom@nvidia.com>
---
 drivers/gpu/nvgpu/common/linux/vm.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

(limited to 'drivers/gpu/nvgpu/common')

diff --git a/drivers/gpu/nvgpu/common/linux/vm.c b/drivers/gpu/nvgpu/common/linux/vm.c
index 4fa01855..f356fee2 100644
--- a/drivers/gpu/nvgpu/common/linux/vm.c
+++ b/drivers/gpu/nvgpu/common/linux/vm.c
@@ -25,6 +25,7 @@
 
 #include "gk20a/gk20a.h"
 #include "gk20a/mm_gk20a.h"
+#include "gk20a/kind_gk20a.h"
 
 #include "vm_priv.h"
 
@@ -237,7 +238,12 @@ u64 nvgpu_vm_map(struct vm_gk20a *vm,
 		goto clean_up;
 	}
 
-	bfr.kind_v = kind;
+	if (kind >= NV_KIND_ATTR_SIZE) {
+		err = -EINVAL;
+		goto clean_up;
+	} else {
+		bfr.kind_v = kind;
+	}
 	bfr.size = dmabuf->size;
 	sgl = bfr.sgt->sgl;
 
-- 
cgit v1.2.2