On Tue Jan 27, 2026 at 5:23 AM JST, Joel Fernandes wrote: > Use checked_add() and checked_mul() when computing offsets from > firmware-provided values in new_fwsec(). > > Without checked arithmetic, corrupt firmware could cause integer overflow. The > danger is not just wrapping to a huge value, but potentially wrapping to a > small plausible offset that passes validation yet accesses entirely wrong > data, > causing silent corruption or security issues. > > Reviewed-by: Zhi Wang <[email protected]> > Signed-off-by: Joel Fernandes <[email protected]> > --- > drivers/gpu/nova-core/firmware/fwsec.rs | 60 ++++++++++++++----------- > 1 file changed, 35 insertions(+), 25 deletions(-) > > diff --git a/drivers/gpu/nova-core/firmware/fwsec.rs > b/drivers/gpu/nova-core/firmware/fwsec.rs > index a8ec08a500ac..71541b1f07d7 100644 > --- a/drivers/gpu/nova-core/firmware/fwsec.rs > +++ b/drivers/gpu/nova-core/firmware/fwsec.rs > @@ -46,10 +46,7 @@ > Signed, > Unsigned, // > }, > - num::{ > - FromSafeCast, > - IntoSafeCast, // > - }, > + num::FromSafeCast, > vbios::Vbios, > }; > > @@ -267,7 +264,12 @@ fn new_fwsec(dev: &Device<device::Bound>, bios: &Vbios, > cmd: FwsecCommand) -> Re > let ucode = bios.fwsec_image().ucode(&desc)?; > let mut dma_object = DmaObject::from_data(dev, ucode)?; > > - let hdr_offset = usize::from_safe_cast(desc.imem_load_size() + > desc.interface_offset()); > + // Compute hdr_offset = imem_load_size + interface_offset. > + let hdr_offset = desc > + .imem_load_size() > + .checked_add(desc.interface_offset()) > + .map(usize::from_safe_cast) > + .ok_or(EINVAL)?; > // SAFETY: we have exclusive access to `dma_object`.
Missing empty line before the SAFETY comment (also in other places). I will fix when applying, no need to resend.
