From 9402f4165b7a5568363f793e47bb893719639ca2 Mon Sep 17 00:00:00 2001 From: Deepak Goyal Date: Thu, 1 Feb 2018 11:00:27 +0530 Subject: gpu: nvgpu: fix out of bounds access lsf_ucode_desc_v1 has more size than signature bin. In memcpy(dest, src, size_to_copy) usage, "size_to_copy" is more than "size of the src" which is causing out of bounds access. Bug 2051856 NVGPU-507 Change-Id: I0aad34df39f95f7e95ccb10539e1fae9f65361a8 Signed-off-by: Deepak Goyal Reviewed-on: https://git-master.nvidia.com/r/1650140 Reviewed-by: Automatic_Commit_Validation_User GVS: Gerrit_Virtual_Submit Reviewed-by: Terje Bergstrom Reviewed-by: mobile promotions Tested-by: mobile promotions --- drivers/gpu/nvgpu/gm20b/acr_gm20b.c | 10 ++++++---- drivers/gpu/nvgpu/gp106/acr_gp106.c | 8 +++++--- 2 files changed, 11 insertions(+), 7 deletions(-) (limited to 'drivers') diff --git a/drivers/gpu/nvgpu/gm20b/acr_gm20b.c b/drivers/gpu/nvgpu/gm20b/acr_gm20b.c index 62d3a8fa..c57fba45 100644 --- a/drivers/gpu/nvgpu/gm20b/acr_gm20b.c +++ b/drivers/gpu/nvgpu/gm20b/acr_gm20b.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 2015-2017, NVIDIA CORPORATION. All rights reserved. + * Copyright (c) 2015-2018, NVIDIA CORPORATION. All rights reserved. * * Permission is hereby granted, free of charge, to any person obtaining a * copy of this software and associated documentation files (the "Software"), @@ -138,7 +138,8 @@ static int pmu_ucode_details(struct gk20a *g, struct flcn_ucode_img *p_img) err = -ENOMEM; goto release_sig; } - memcpy(lsf_desc, (void *)pmu_sig->data, sizeof(struct lsf_ucode_desc)); + memcpy(lsf_desc, (void *)pmu_sig->data, + min_t(size_t, sizeof(*lsf_desc), pmu_sig->size)); lsf_desc->falcon_id = LSF_FALCON_ID_PMU; p_img->desc = pmu->desc; @@ -177,7 +178,8 @@ static int fecs_ucode_details(struct gk20a *g, struct flcn_ucode_img *p_img) err = -ENOMEM; goto rel_sig; } - memcpy(lsf_desc, (void *)fecs_sig->data, sizeof(struct lsf_ucode_desc)); + memcpy(lsf_desc, (void *)fecs_sig->data, + min_t(size_t, sizeof(*lsf_desc), fecs_sig->size)); lsf_desc->falcon_id = LSF_FALCON_ID_FECS; p_img->desc = nvgpu_kzalloc(g, sizeof(struct pmu_ucode_desc)); @@ -248,7 +250,7 @@ static int gpccs_ucode_details(struct gk20a *g, struct flcn_ucode_img *p_img) goto rel_sig; } memcpy(lsf_desc, (void *)gpccs_sig->data, - sizeof(struct lsf_ucode_desc)); + min_t(size_t, sizeof(*lsf_desc), gpccs_sig->size)); lsf_desc->falcon_id = LSF_FALCON_ID_GPCCS; p_img->desc = nvgpu_kzalloc(g, sizeof(struct pmu_ucode_desc)); diff --git a/drivers/gpu/nvgpu/gp106/acr_gp106.c b/drivers/gpu/nvgpu/gp106/acr_gp106.c index 31ddecf0..5ab8cfcc 100644 --- a/drivers/gpu/nvgpu/gp106/acr_gp106.c +++ b/drivers/gpu/nvgpu/gp106/acr_gp106.c @@ -153,7 +153,8 @@ int pmu_ucode_details(struct gk20a *g, struct flcn_ucode_img_v1 *p_img) err = -ENOMEM; goto release_sig; } - memcpy(lsf_desc, (void *)pmu_sig->data, sizeof(struct lsf_ucode_desc_v1)); + memcpy(lsf_desc, (void *)pmu_sig->data, + min_t(size_t, sizeof(*lsf_desc), pmu_sig->size)); lsf_desc->falcon_id = LSF_FALCON_ID_PMU; p_img->desc = pmu->desc_v1; @@ -218,7 +219,8 @@ int fecs_ucode_details(struct gk20a *g, struct flcn_ucode_img_v1 *p_img) err = -ENOMEM; goto rel_sig; } - memcpy(lsf_desc, (void *)fecs_sig->data, sizeof(struct lsf_ucode_desc_v1)); + memcpy(lsf_desc, (void *)fecs_sig->data, + min_t(size_t, sizeof(*lsf_desc), fecs_sig->size)); lsf_desc->falcon_id = LSF_FALCON_ID_FECS; p_img->desc = nvgpu_kzalloc(g, sizeof(struct pmu_ucode_desc_v1)); @@ -314,7 +316,7 @@ int gpccs_ucode_details(struct gk20a *g, struct flcn_ucode_img_v1 *p_img) goto rel_sig; } memcpy(lsf_desc, (void *)gpccs_sig->data, - sizeof(struct lsf_ucode_desc_v1)); + min_t(size_t, sizeof(*lsf_desc), gpccs_sig->size)); lsf_desc->falcon_id = LSF_FALCON_ID_GPCCS; p_img->desc = nvgpu_kzalloc(g, sizeof(struct pmu_ucode_desc_v1)); -- cgit v1.2.2