On Sat, 24 Jan 2026 18:18:27 -0500 Joel Fernandes <[email protected]> wrote:
> Use checked_add() when computing signature offsets from firmware- > provided values in signatures_iter(). > > Without checked arithmetic, overflow could wrap to a small plausible > offset that points to entirely wrong data. > > Signed-off-by: Joel Fernandes <[email protected]> > --- > drivers/gpu/nova-core/firmware/booter.rs | 19 ++++++++++++++----- > 1 file changed, 14 insertions(+), 5 deletions(-) > > diff --git a/drivers/gpu/nova-core/firmware/booter.rs > b/drivers/gpu/nova-core/firmware/booter.rs index > 86556cee8e67..f5ad619dc055 100644 --- > a/drivers/gpu/nova-core/firmware/booter.rs +++ > b/drivers/gpu/nova-core/firmware/booter.rs @@ -119,14 +119,23 @@ fn > signatures_iter(&'a self) -> Result<impl Iterator<Item = > BooterSignature<'a>> Some(sig_size) => { let patch_sig = > frombytes_at::<u32>(self.fw, > self.hdr.patch_sig_offset.into_safe_cast())?; > - let signatures_start = > usize::from_safe_cast(self.hdr.sig_prod_offset + patch_sig); + > + // Compute signatures_start = hdr.sig_prod_offset + > patch_sig. > + let signatures_start = self > + .hdr > + .sig_prod_offset > + .checked_add(patch_sig) > + .map(usize::from_safe_cast) > + .ok_or(EINVAL)?; > + > + // Compute signatures_end = signatures_start + > hdr.sig_prod_size. > + let signatures_end = signatures_start > + > .checked_add(usize::from_safe_cast(self.hdr.sig_prod_size)) > + .ok_or(EINVAL)?; > The same concern of comment format in PATCH 1 raised by Dirk, With that addressed, Reviewed-by: Zhi Wang <[email protected]> > self.fw > // Get signatures range. > - .get( > - signatures_start > - ..signatures_start + > usize::from_safe_cast(self.hdr.sig_prod_size), > - ) > + .get(signatures_start..signatures_end) > .ok_or(EINVAL)? > .chunks_exact(sig_size.into_safe_cast()) > }
