On Jan 25, 2026, at 4:09 AM, Dirk Behme <[email protected]> wrote: > > Hi Joel, > > On 25.01.26 00:18, Joel Fernandes wrote: >> Use checked_add() and checked_mul() when computing offsets from >> firmware-provided values in new_fwsec(). >> >> Without checked arithmetic, corrupt firmware could cause integer overflow. >> The >> danger is not just wrapping to a huge value, but potentially wrapping to a >> small plausible offset that passes validation yet accesses entirely wrong >> data, >> causing silent corruption or security issues. >> >> Signed-off-by: Joel Fernandes <[email protected]> >> --- >> drivers/gpu/nova-core/firmware/fwsec.rs | 60 ++++++++++++++----------- >> 1 file changed, 35 insertions(+), 25 deletions(-) >> >> diff --git a/drivers/gpu/nova-core/firmware/fwsec.rs >> b/drivers/gpu/nova-core/firmware/fwsec.rs >> index a8ec08a500ac..1a91bbbce3d5 100644 >> --- a/drivers/gpu/nova-core/firmware/fwsec.rs >> +++ b/drivers/gpu/nova-core/firmware/fwsec.rs >> @@ -46,10 +46,7 @@ > ... >> @@ -356,8 +362,12 @@ pub(crate) fn new( >> // Patch signature if needed. >> let desc = bios.fwsec_image().header()?; >> let ucode_signed = if desc.signature_count() != 0 { >> - let sig_base_img = >> - usize::from_safe_cast(desc.imem_load_size() + >> desc.pkc_data_offset()); >> + // Compute sig_base_img = desc.imem_load_size + >> desc.pkc_data_offset. > > Nit: Drop `desc.` to make it consistent with the other comments.
Ok, thanks. I request anyone applying the patch to fix that on apply, but I can totally do that if respinning/resending. -- Joel Fernandes
