Re: [PATCH v1 1/5] gpu: nova-core: use checked arithmetic in FWSEC firmware parsing

Dirk Behme Sun, 25 Jan 2026 01:09:33 -0800

Hi Joel,

On 25.01.26 00:18, Joel Fernandes wrote:
> Use checked_add() and checked_mul() when computing offsets from
> firmware-provided values in new_fwsec().
> 
> Without checked arithmetic, corrupt firmware could cause integer overflow. The
> danger is not just wrapping to a huge value, but potentially wrapping to a
> small plausible offset that passes validation yet accesses entirely wrong 
> data,
> causing silent corruption or security issues.
> 
> Signed-off-by: Joel Fernandes <[email protected]>
> ---
>  drivers/gpu/nova-core/firmware/fwsec.rs | 60 ++++++++++++++-----------
>  1 file changed, 35 insertions(+), 25 deletions(-)
> 
> diff --git a/drivers/gpu/nova-core/firmware/fwsec.rs 
> b/drivers/gpu/nova-core/firmware/fwsec.rs
> index a8ec08a500ac..1a91bbbce3d5 100644
> --- a/drivers/gpu/nova-core/firmware/fwsec.rs
> +++ b/drivers/gpu/nova-core/firmware/fwsec.rs
> @@ -46,10 +46,7 @@
...
> @@ -356,8 +362,12 @@ pub(crate) fn new(
>          // Patch signature if needed.
>          let desc = bios.fwsec_image().header()?;
>          let ucode_signed = if desc.signature_count() != 0 {
> -            let sig_base_img =
> -                usize::from_safe_cast(desc.imem_load_size() + 
> desc.pkc_data_offset());
> +            // Compute sig_base_img = desc.imem_load_size + 
> desc.pkc_data_offset.


Nit: Drop `desc.` to make it consistent with the other comments.

Best regards

Dirk

Re: [PATCH v1 1/5] gpu: nova-core: use checked arithmetic in FWSEC firmware parsing

Reply via email to