[PATCH v1 0/5] gpu: nova-core: use checked arithmetic for firmware parsing robustness

public inbox for rust-for-linux@vger.kernel.org
 help / color / mirror / Atom feed

* [PATCH v1 0/5] gpu: nova-core: use checked arithmetic for firmware parsing robustness
@ 2026-01-24 23:18 Joel Fernandes
  2026-01-24 23:18 ` [PATCH v1 1/5] gpu: nova-core: use checked arithmetic in FWSEC firmware parsing Joel Fernandes
                   ` (4 more replies)
  0 siblings, 5 replies; 13+ messages in thread
From: Joel Fernandes @ 2026-01-24 23:18 UTC (permalink / raw)
  To: linux-kernel, Paul Walmsley, Palmer Dabbelt, Albert Ou,
	Alexandre Ghiti, Miguel Ojeda, Boqun Feng, Gary Guo,
	Björn Roy Baron, Benno Lossin, Andreas Hindborg, Alice Ryhl,
	Trevor Gross, Danilo Krummrich
  Cc: Alexandre Courbot, John Hubbard, Alistair Popple, Timur Tabi,
	Edwin Peer, Zhi Wang, David Airlie, Simona Vetter, Bjorn Helgaas,
	Alex Gaynor, nouveau, dri-devel, rust-for-linux, Joel Fernandes,
	linux-riscv

This series adds checked arithmetic throughout nova-core's firmware parsing
code to guard rust code against integer overflow from corrupt firmware.

Without checked arithmetic, firmware could cause integer overflow when
computing offsets. The danger is not just wrapping to a huge value (which may
fail validation in other paths), but potentially wrapping to a small plausible
offset that accesses entirely wrong data, causing silent corruption or security
issues.

The series converts all firmware offset calculations to use checked arithmetic.
This has been rebased on drm-rust-next. I would like to consider merging for
the upcoming merge window to avoid future conflicts. Tested probing with GPU
name printed in dmesg on my GA102 (Ampere).

The git tree with all patches can be found at:
git://git.kernel.org/pub/scm/linux/kernel/git/jfern/linux.git (tag: nova-checked-arith-v1-20260124)

Joel Fernandes (5):
  gpu: nova-core: use checked arithmetic in FWSEC firmware parsing
  gpu: nova-core: use checked arithmetic in Booter signature parsing
  gpu: nova-core: use checked arithmetic in frombytes_at helper
  gpu: nova-core: use checked arithmetic in BinFirmware::data
  gpu: nova-core: use checked arithmetic in RISC-V firmware parsing

 drivers/gpu/nova-core/firmware.rs        |  3 +-
 drivers/gpu/nova-core/firmware/booter.rs | 22 ++++++---
 drivers/gpu/nova-core/firmware/fwsec.rs  | 60 ++++++++++++++----------
 drivers/gpu/nova-core/firmware/riscv.rs  |  6 ++-
 4 files changed, 57 insertions(+), 34 deletions(-)


base-commit: 58d26d42818c0f8c9b334cc7cf318b43046e675f
-- 
2.34.1


^ permalink raw reply	[flat|nested] 13+ messages in thread

* [PATCH v1 1/5] gpu: nova-core: use checked arithmetic in FWSEC firmware parsing
  2026-01-24 23:18 [PATCH v1 0/5] gpu: nova-core: use checked arithmetic for firmware parsing robustness Joel Fernandes
@ 2026-01-24 23:18 ` Joel Fernandes
  2026-01-25  9:09   ` Dirk Behme
  2026-01-24 23:18 ` [PATCH v1 2/5] gpu: nova-core: use checked arithmetic in Booter signature parsing Joel Fernandes
                   ` (3 subsequent siblings)
  4 siblings, 1 reply; 13+ messages in thread
From: Joel Fernandes @ 2026-01-24 23:18 UTC (permalink / raw)
  To: linux-kernel, Danilo Krummrich, Alexandre Courbot, Alice Ryhl,
	David Airlie, Simona Vetter
  Cc: John Hubbard, Alistair Popple, Timur Tabi, Edwin Peer, Zhi Wang,
	Bjorn Helgaas, Miguel Ojeda, Alex Gaynor, Boqun Feng, Gary Guo,
	Björn Roy Baron, Benno Lossin, Andreas Hindborg,
	Trevor Gross, nouveau, dri-devel, rust-for-linux, Joel Fernandes

Use checked_add() and checked_mul() when computing offsets from
firmware-provided values in new_fwsec().

Without checked arithmetic, corrupt firmware could cause integer overflow. The
danger is not just wrapping to a huge value, but potentially wrapping to a
small plausible offset that passes validation yet accesses entirely wrong data,
causing silent corruption or security issues.

Signed-off-by: Joel Fernandes <joelagnelf@nvidia.com>
---
 drivers/gpu/nova-core/firmware/fwsec.rs | 60 ++++++++++++++-----------
 1 file changed, 35 insertions(+), 25 deletions(-)

diff --git a/drivers/gpu/nova-core/firmware/fwsec.rs b/drivers/gpu/nova-core/firmware/fwsec.rs
index a8ec08a500ac..1a91bbbce3d5 100644
--- a/drivers/gpu/nova-core/firmware/fwsec.rs
+++ b/drivers/gpu/nova-core/firmware/fwsec.rs
@@ -46,10 +46,7 @@
         Signed,
         Unsigned, //
     },
-    num::{
-        FromSafeCast,
-        IntoSafeCast, //
-    },
+    num::FromSafeCast,
     vbios::Vbios,
 };
 
@@ -267,7 +264,12 @@ fn new_fwsec(dev: &Device<device::Bound>, bios: &Vbios, cmd: FwsecCommand) -> Re
         let ucode = bios.fwsec_image().ucode(&desc)?;
         let mut dma_object = DmaObject::from_data(dev, ucode)?;
 
-        let hdr_offset = usize::from_safe_cast(desc.imem_load_size() + desc.interface_offset());
+        // Compute hdr_offset = imem_load_size + interface_offset.
+        let hdr_offset = desc
+            .imem_load_size()
+            .checked_add(desc.interface_offset())
+            .map(usize::from_safe_cast)
+            .ok_or(EINVAL)?;
         // SAFETY: we have exclusive access to `dma_object`.
         let hdr: &FalconAppifHdrV1 = unsafe { transmute(&dma_object, hdr_offset) }?;
 
@@ -277,26 +279,28 @@ fn new_fwsec(dev: &Device<device::Bound>, bios: &Vbios, cmd: FwsecCommand) -> Re
 
         // Find the DMEM mapper section in the firmware.
         for i in 0..usize::from(hdr.entry_count) {
+            // Compute entry_offset = hdr_offset + header_size + i * entry_size.
+            let entry_offset = hdr_offset
+                .checked_add(usize::from(hdr.header_size))
+                .and_then(|o| o.checked_add(i.checked_mul(usize::from(hdr.entry_size))?))
+                .ok_or(EINVAL)?;
             // SAFETY: we have exclusive access to `dma_object`.
-            let app: &FalconAppifV1 = unsafe {
-                transmute(
-                    &dma_object,
-                    hdr_offset + usize::from(hdr.header_size) + i * usize::from(hdr.entry_size),
-                )
-            }?;
+            let app: &FalconAppifV1 = unsafe { transmute(&dma_object, entry_offset) }?;
 
             if app.id != NVFW_FALCON_APPIF_ID_DMEMMAPPER {
                 continue;
             }
             let dmem_base = app.dmem_base;
 
+            // Compute dmem_mapper_offset = imem_load_size + dmem_base.
+            let dmem_mapper_offset = desc
+                .imem_load_size()
+                .checked_add(dmem_base)
+                .map(usize::from_safe_cast)
+                .ok_or(EINVAL)?;
             // SAFETY: we have exclusive access to `dma_object`.
-            let dmem_mapper: &mut FalconAppifDmemmapperV3 = unsafe {
-                transmute_mut(
-                    &mut dma_object,
-                    (desc.imem_load_size() + dmem_base).into_safe_cast(),
-                )
-            }?;
+            let dmem_mapper: &mut FalconAppifDmemmapperV3 =
+                unsafe { transmute_mut(&mut dma_object, dmem_mapper_offset) }?;
 
             dmem_mapper.init_cmd = match cmd {
                 FwsecCommand::Frts { .. } => NVFW_FALCON_APPIF_DMEMMAPPER_CMD_FRTS,
@@ -304,13 +308,15 @@ fn new_fwsec(dev: &Device<device::Bound>, bios: &Vbios, cmd: FwsecCommand) -> Re
             };
             let cmd_in_buffer_offset = dmem_mapper.cmd_in_buffer_offset;
 
+            // Compute frts_cmd_offset = imem_load_size + cmd_in_buffer_offset.
+            let frts_cmd_offset = desc
+                .imem_load_size()
+                .checked_add(cmd_in_buffer_offset)
+                .map(usize::from_safe_cast)
+                .ok_or(EINVAL)?;
             // SAFETY: we have exclusive access to `dma_object`.
-            let frts_cmd: &mut FrtsCmd = unsafe {
-                transmute_mut(
-                    &mut dma_object,
-                    (desc.imem_load_size() + cmd_in_buffer_offset).into_safe_cast(),
-                )
-            }?;
+            let frts_cmd: &mut FrtsCmd =
+                unsafe { transmute_mut(&mut dma_object, frts_cmd_offset) }?;
 
             frts_cmd.read_vbios = ReadVbios {
                 ver: 1,
@@ -356,8 +362,12 @@ pub(crate) fn new(
         // Patch signature if needed.
         let desc = bios.fwsec_image().header()?;
         let ucode_signed = if desc.signature_count() != 0 {
-            let sig_base_img =
-                usize::from_safe_cast(desc.imem_load_size() + desc.pkc_data_offset());
+            // Compute sig_base_img = desc.imem_load_size + desc.pkc_data_offset.
+            let sig_base_img = desc
+                .imem_load_size()
+                .checked_add(desc.pkc_data_offset())
+                .map(usize::from_safe_cast)
+                .ok_or(EINVAL)?;
             let desc_sig_versions = u32::from(desc.signature_versions());
             let reg_fuse_version =
                 falcon.signature_reg_fuse_version(bar, desc.engine_id_mask(), desc.ucode_id())?;
-- 
2.34.1


^ permalink raw reply related	[flat|nested] 13+ messages in thread

* Re: [PATCH v1 1/5] gpu: nova-core: use checked arithmetic in FWSEC firmware parsing
  2026-01-24 23:18 ` [PATCH v1 1/5] gpu: nova-core: use checked arithmetic in FWSEC firmware parsing Joel Fernandes
@ 2026-01-25  9:09   ` Dirk Behme
  2026-01-25 15:13     ` Joel Fernandes
  0 siblings, 1 reply; 13+ messages in thread
From: Dirk Behme @ 2026-01-25  9:09 UTC (permalink / raw)
  To: Joel Fernandes, linux-kernel, Danilo Krummrich, Alexandre Courbot,
	Alice Ryhl, David Airlie, Simona Vetter
  Cc: John Hubbard, Alistair Popple, Timur Tabi, Edwin Peer, Zhi Wang,
	Bjorn Helgaas, Miguel Ojeda, Alex Gaynor, Boqun Feng, Gary Guo,
	Björn Roy Baron, Benno Lossin, Andreas Hindborg,
	Trevor Gross, nouveau, dri-devel, rust-for-linux

Hi Joel,

On 25.01.26 00:18, Joel Fernandes wrote:
> Use checked_add() and checked_mul() when computing offsets from
> firmware-provided values in new_fwsec().
> 
> Without checked arithmetic, corrupt firmware could cause integer overflow. The
> danger is not just wrapping to a huge value, but potentially wrapping to a
> small plausible offset that passes validation yet accesses entirely wrong data,
> causing silent corruption or security issues.
> 
> Signed-off-by: Joel Fernandes <joelagnelf@nvidia.com>
> ---
>  drivers/gpu/nova-core/firmware/fwsec.rs | 60 ++++++++++++++-----------
>  1 file changed, 35 insertions(+), 25 deletions(-)
> 
> diff --git a/drivers/gpu/nova-core/firmware/fwsec.rs b/drivers/gpu/nova-core/firmware/fwsec.rs
> index a8ec08a500ac..1a91bbbce3d5 100644
> --- a/drivers/gpu/nova-core/firmware/fwsec.rs
> +++ b/drivers/gpu/nova-core/firmware/fwsec.rs
> @@ -46,10 +46,7 @@
...
> @@ -356,8 +362,12 @@ pub(crate) fn new(
>          // Patch signature if needed.
>          let desc = bios.fwsec_image().header()?;
>          let ucode_signed = if desc.signature_count() != 0 {
> -            let sig_base_img =
> -                usize::from_safe_cast(desc.imem_load_size() + desc.pkc_data_offset());
> +            // Compute sig_base_img = desc.imem_load_size + desc.pkc_data_offset.

Nit: Drop `desc.` to make it consistent with the other comments.

Best regards

Dirk

^ permalink raw reply	[flat|nested] 13+ messages in thread

* Re: [PATCH v1 1/5] gpu: nova-core: use checked arithmetic in FWSEC firmware parsing
  2026-01-25  9:09   ` Dirk Behme
@ 2026-01-25 15:13     ` Joel Fernandes
  0 siblings, 0 replies; 13+ messages in thread
From: Joel Fernandes @ 2026-01-25 15:13 UTC (permalink / raw)
  To: Dirk Behme
  Cc: linux-kernel, Danilo Krummrich, Alexandre Courbot, Alice Ryhl,
	David Airlie, Simona Vetter, John Hubbard, Alistair Popple,
	Timur Tabi, Edwin Peer, Zhi Wang, Bjorn Helgaas, Miguel Ojeda,
	Alex Gaynor, Boqun Feng, Gary Guo, Björn Roy Baron,
	Benno Lossin, Andreas Hindborg, Trevor Gross, nouveau, dri-devel,
	rust-for-linux

On Jan 25, 2026, at 4:09 AM, Dirk Behme <dirk.behme@gmail.com> wrote:
>
> Hi Joel,
>
> On 25.01.26 00:18, Joel Fernandes wrote:
>> Use checked_add() and checked_mul() when computing offsets from
>> firmware-provided values in new_fwsec().
>>
>> Without checked arithmetic, corrupt firmware could cause integer overflow. The
>> danger is not just wrapping to a huge value, but potentially wrapping to a
>> small plausible offset that passes validation yet accesses entirely wrong data,
>> causing silent corruption or security issues.
>>
>> Signed-off-by: Joel Fernandes <joelagnelf@nvidia.com>
>> ---
>> drivers/gpu/nova-core/firmware/fwsec.rs | 60 ++++++++++++++-----------
>> 1 file changed, 35 insertions(+), 25 deletions(-)
>>
>> diff --git a/drivers/gpu/nova-core/firmware/fwsec.rs b/drivers/gpu/nova-core/firmware/fwsec.rs
>> index a8ec08a500ac..1a91bbbce3d5 100644
>> --- a/drivers/gpu/nova-core/firmware/fwsec.rs
>> +++ b/drivers/gpu/nova-core/firmware/fwsec.rs
>> @@ -46,10 +46,7 @@
> ...
>> @@ -356,8 +362,12 @@ pub(crate) fn new(
>>         // Patch signature if needed.
>>         let desc = bios.fwsec_image().header()?;
>>         let ucode_signed = if desc.signature_count() != 0 {
>> -            let sig_base_img =
>> -                usize::from_safe_cast(desc.imem_load_size() + desc.pkc_data_offset());
>> +            // Compute sig_base_img = desc.imem_load_size + desc.pkc_data_offset.
>
> Nit: Drop `desc.` to make it consistent with the other comments.

Ok, thanks. I request anyone applying the patch to fix that on apply, but I can
totally do that if respinning/resending.

-- 
Joel Fernandes

^ permalink raw reply	[flat|nested] 13+ messages in thread

* [PATCH v1 2/5] gpu: nova-core: use checked arithmetic in Booter signature parsing
  2026-01-24 23:18 [PATCH v1 0/5] gpu: nova-core: use checked arithmetic for firmware parsing robustness Joel Fernandes
  2026-01-24 23:18 ` [PATCH v1 1/5] gpu: nova-core: use checked arithmetic in FWSEC firmware parsing Joel Fernandes
@ 2026-01-24 23:18 ` Joel Fernandes
  2026-01-26  8:08   ` Zhi Wang
  2026-01-24 23:18 ` [PATCH v1 3/5] gpu: nova-core: use checked arithmetic in frombytes_at helper Joel Fernandes
                   ` (2 subsequent siblings)
  4 siblings, 1 reply; 13+ messages in thread
From: Joel Fernandes @ 2026-01-24 23:18 UTC (permalink / raw)
  To: linux-kernel, Danilo Krummrich, Alexandre Courbot, Alice Ryhl,
	David Airlie, Simona Vetter
  Cc: John Hubbard, Alistair Popple, Timur Tabi, Edwin Peer, Zhi Wang,
	Bjorn Helgaas, Miguel Ojeda, Alex Gaynor, Boqun Feng, Gary Guo,
	Björn Roy Baron, Benno Lossin, Andreas Hindborg,
	Trevor Gross, nouveau, dri-devel, rust-for-linux, Joel Fernandes

Use checked_add() when computing signature offsets from firmware-
provided values in signatures_iter().

Without checked arithmetic, overflow could wrap to a small plausible
offset that points to entirely wrong data.

Signed-off-by: Joel Fernandes <joelagnelf@nvidia.com>
---
 drivers/gpu/nova-core/firmware/booter.rs | 19 ++++++++++++++-----
 1 file changed, 14 insertions(+), 5 deletions(-)

diff --git a/drivers/gpu/nova-core/firmware/booter.rs b/drivers/gpu/nova-core/firmware/booter.rs
index 86556cee8e67..f5ad619dc055 100644
--- a/drivers/gpu/nova-core/firmware/booter.rs
+++ b/drivers/gpu/nova-core/firmware/booter.rs
@@ -119,14 +119,23 @@ fn signatures_iter(&'a self) -> Result<impl Iterator<Item = BooterSignature<'a>>
             Some(sig_size) => {
                 let patch_sig =
                     frombytes_at::<u32>(self.fw, self.hdr.patch_sig_offset.into_safe_cast())?;
-                let signatures_start = usize::from_safe_cast(self.hdr.sig_prod_offset + patch_sig);
+
+                // Compute signatures_start = hdr.sig_prod_offset + patch_sig.
+                let signatures_start = self
+                    .hdr
+                    .sig_prod_offset
+                    .checked_add(patch_sig)
+                    .map(usize::from_safe_cast)
+                    .ok_or(EINVAL)?;
+
+                // Compute signatures_end = signatures_start + hdr.sig_prod_size.
+                let signatures_end = signatures_start
+                    .checked_add(usize::from_safe_cast(self.hdr.sig_prod_size))
+                    .ok_or(EINVAL)?;
 
                 self.fw
                     // Get signatures range.
-                    .get(
-                        signatures_start
-                            ..signatures_start + usize::from_safe_cast(self.hdr.sig_prod_size),
-                    )
+                    .get(signatures_start..signatures_end)
                     .ok_or(EINVAL)?
                     .chunks_exact(sig_size.into_safe_cast())
             }
-- 
2.34.1


^ permalink raw reply related	[flat|nested] 13+ messages in thread

* Re: [PATCH v1 2/5] gpu: nova-core: use checked arithmetic in Booter signature parsing
  2026-01-24 23:18 ` [PATCH v1 2/5] gpu: nova-core: use checked arithmetic in Booter signature parsing Joel Fernandes
@ 2026-01-26  8:08   ` Zhi Wang
  2026-01-26 11:00     ` Joel Fernandes
  0 siblings, 1 reply; 13+ messages in thread
From: Zhi Wang @ 2026-01-26  8:08 UTC (permalink / raw)
  To: Joel Fernandes
  Cc: linux-kernel, Danilo Krummrich, Alexandre Courbot, Alice Ryhl,
	David Airlie, Simona Vetter, John Hubbard, Alistair Popple,
	Timur Tabi, Edwin Peer, Bjorn Helgaas, Miguel Ojeda, Alex Gaynor,
	Boqun Feng, Gary Guo, Björn Roy Baron, Benno Lossin,
	Andreas Hindborg, Trevor Gross, nouveau, dri-devel,
	rust-for-linux

On Sat, 24 Jan 2026 18:18:27 -0500
Joel Fernandes <joelagnelf@nvidia.com> wrote:

> Use checked_add() when computing signature offsets from firmware-
> provided values in signatures_iter().
> 
> Without checked arithmetic, overflow could wrap to a small plausible
> offset that points to entirely wrong data.
> 
> Signed-off-by: Joel Fernandes <joelagnelf@nvidia.com>
> ---
>  drivers/gpu/nova-core/firmware/booter.rs | 19 ++++++++++++++-----
>  1 file changed, 14 insertions(+), 5 deletions(-)
> 
> diff --git a/drivers/gpu/nova-core/firmware/booter.rs
> b/drivers/gpu/nova-core/firmware/booter.rs index
> 86556cee8e67..f5ad619dc055 100644 ---
> a/drivers/gpu/nova-core/firmware/booter.rs +++
> b/drivers/gpu/nova-core/firmware/booter.rs @@ -119,14 +119,23 @@ fn
> signatures_iter(&'a self) -> Result<impl Iterator<Item =
> BooterSignature<'a>> Some(sig_size) => { let patch_sig =
>                      frombytes_at::<u32>(self.fw,
> self.hdr.patch_sig_offset.into_safe_cast())?;
> -                let signatures_start =
> usize::from_safe_cast(self.hdr.sig_prod_offset + patch_sig); +
> +                // Compute signatures_start = hdr.sig_prod_offset +
> patch_sig.
> +                let signatures_start = self
> +                    .hdr
> +                    .sig_prod_offset
> +                    .checked_add(patch_sig)
> +                    .map(usize::from_safe_cast)
> +                    .ok_or(EINVAL)?;
> +
> +                // Compute signatures_end = signatures_start +
> hdr.sig_prod_size.
> +                let signatures_end = signatures_start
> +
> .checked_add(usize::from_safe_cast(self.hdr.sig_prod_size))
> +                    .ok_or(EINVAL)?;
>  

The same concern of comment format in PATCH 1 raised by Dirk, With that
addressed,

Reviewed-by: Zhi Wang <zhiw@nvidia.com>

>                  self.fw
>                      // Get signatures range.
> -                    .get(
> -                        signatures_start
> -                            ..signatures_start +
> usize::from_safe_cast(self.hdr.sig_prod_size),
> -                    )
> +                    .get(signatures_start..signatures_end)
>                      .ok_or(EINVAL)?
>                      .chunks_exact(sig_size.into_safe_cast())
>              }


^ permalink raw reply	[flat|nested] 13+ messages in thread

* Re: [PATCH v1 2/5] gpu: nova-core: use checked arithmetic in Booter signature parsing
  2026-01-26  8:08   ` Zhi Wang
@ 2026-01-26 11:00     ` Joel Fernandes
  0 siblings, 0 replies; 13+ messages in thread
From: Joel Fernandes @ 2026-01-26 11:00 UTC (permalink / raw)
  To: Zhi Wang
  Cc: linux-kernel, Danilo Krummrich, Alexandre Courbot, Alice Ryhl,
	David Airlie, Simona Vetter, John Hubbard, Alistair Popple,
	Timur Tabi, Edwin Peer, Bjorn Helgaas, Miguel Ojeda, Alex Gaynor,
	Boqun Feng, Gary Guo, Björn Roy Baron, Benno Lossin,
	Andreas Hindborg, Trevor Gross, nouveau, dri-devel,
	rust-for-linux



On 1/26/2026 3:08 AM, Zhi Wang wrote:
> On Sat, 24 Jan 2026 18:18:27 -0500
> Joel Fernandes <joelagnelf@nvidia.com> wrote:
> 
>> Use checked_add() when computing signature offsets from firmware-
>> provided values in signatures_iter().
>>
>> Without checked arithmetic, overflow could wrap to a small plausible
>> offset that points to entirely wrong data.
>>
>> Signed-off-by: Joel Fernandes <joelagnelf@nvidia.com>
>> ---
>>   drivers/gpu/nova-core/firmware/booter.rs | 19 ++++++++++++++-----
>>   1 file changed, 14 insertions(+), 5 deletions(-)
>>
>> diff --git a/drivers/gpu/nova-core/firmware/booter.rs
>> b/drivers/gpu/nova-core/firmware/booter.rs index
>> 86556cee8e67..f5ad619dc055 100644 ---
>> a/drivers/gpu/nova-core/firmware/booter.rs +++
>> b/drivers/gpu/nova-core/firmware/booter.rs @@ -119,14 +119,23 @@ fn
>> signatures_iter(&'a self) -> Result<impl Iterator<Item =
>> BooterSignature<'a>> Some(sig_size) => { let patch_sig =
>>                       frombytes_at::<u32>(self.fw,
>> self.hdr.patch_sig_offset.into_safe_cast())?;
>> -                let signatures_start =
>> usize::from_safe_cast(self.hdr.sig_prod_offset + patch_sig); +
>> +                // Compute signatures_start = hdr.sig_prod_offset +
>> patch_sig.
>> +                let signatures_start = self
>> +                    .hdr
>> +                    .sig_prod_offset
>> +                    .checked_add(patch_sig)
>> +                    .map(usize::from_safe_cast)
>> +                    .ok_or(EINVAL)?;
>> +
>> +                // Compute signatures_end = signatures_start +
>> hdr.sig_prod_size.
>> +                let signatures_end = signatures_start
>> +
>> .checked_add(usize::from_safe_cast(self.hdr.sig_prod_size))
>> +                    .ok_or(EINVAL)?;
>>   
> 
> The same concern of comment format in PATCH 1 raised by Dirk, With that
> addressed,
> 
> Reviewed-by: Zhi Wang <zhiw@nvidia.com>
Fixed and applied your tags, thank you!

--
Joel Fernandes


^ permalink raw reply	[flat|nested] 13+ messages in thread

* [PATCH v1 3/5] gpu: nova-core: use checked arithmetic in frombytes_at helper
  2026-01-24 23:18 [PATCH v1 0/5] gpu: nova-core: use checked arithmetic for firmware parsing robustness Joel Fernandes
  2026-01-24 23:18 ` [PATCH v1 1/5] gpu: nova-core: use checked arithmetic in FWSEC firmware parsing Joel Fernandes
  2026-01-24 23:18 ` [PATCH v1 2/5] gpu: nova-core: use checked arithmetic in Booter signature parsing Joel Fernandes
@ 2026-01-24 23:18 ` Joel Fernandes
  2026-01-26  8:00   ` Zhi Wang
  2026-01-24 23:18 ` [PATCH v1 4/5] gpu: nova-core: use checked arithmetic in BinFirmware::data Joel Fernandes
  2026-01-24 23:18 ` [PATCH v1 5/5] gpu: nova-core: use checked arithmetic in RISC-V firmware parsing Joel Fernandes
  4 siblings, 1 reply; 13+ messages in thread
From: Joel Fernandes @ 2026-01-24 23:18 UTC (permalink / raw)
  To: linux-kernel, Danilo Krummrich, Alice Ryhl, Alexandre Courbot,
	David Airlie, Simona Vetter
  Cc: John Hubbard, Alistair Popple, Timur Tabi, Edwin Peer, Zhi Wang,
	Bjorn Helgaas, Miguel Ojeda, Alex Gaynor, Boqun Feng, Gary Guo,
	Björn Roy Baron, Benno Lossin, Andreas Hindborg,
	Trevor Gross, nouveau, dri-devel, rust-for-linux, Joel Fernandes

Use checked_add() when computing the end offset in the frombytes_at()
helper function. This function is called with firmware-provided offsets.

Signed-off-by: Joel Fernandes <joelagnelf@nvidia.com>
---
 drivers/gpu/nova-core/firmware/booter.rs | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/drivers/gpu/nova-core/firmware/booter.rs b/drivers/gpu/nova-core/firmware/booter.rs
index f5ad619dc055..1e2b2efe838f 100644
--- a/drivers/gpu/nova-core/firmware/booter.rs
+++ b/drivers/gpu/nova-core/firmware/booter.rs
@@ -43,8 +43,9 @@
 /// Local convenience function to return a copy of `S` by reinterpreting the bytes starting at
 /// `offset` in `slice`.
 fn frombytes_at<S: FromBytes + Sized>(slice: &[u8], offset: usize) -> Result<S> {
+    let end = offset.checked_add(size_of::<S>()).ok_or(EINVAL)?;
     slice
-        .get(offset..offset + size_of::<S>())
+        .get(offset..end)
         .and_then(S::from_bytes_copy)
         .ok_or(EINVAL)
 }
-- 
2.34.1


^ permalink raw reply related	[flat|nested] 13+ messages in thread

* Re: [PATCH v1 3/5] gpu: nova-core: use checked arithmetic in frombytes_at helper
  2026-01-24 23:18 ` [PATCH v1 3/5] gpu: nova-core: use checked arithmetic in frombytes_at helper Joel Fernandes
@ 2026-01-26  8:00   ` Zhi Wang
  0 siblings, 0 replies; 13+ messages in thread
From: Zhi Wang @ 2026-01-26  8:00 UTC (permalink / raw)
  To: Joel Fernandes
  Cc: linux-kernel, Danilo Krummrich, Alice Ryhl, Alexandre Courbot,
	David Airlie, Simona Vetter, Alistair Popple, Bjorn Helgaas,
	Miguel Ojeda, Alex Gaynor, Boqun Feng, Gary Guo,
	Björn Roy Baron, Benno Lossin, Andreas Hindborg,
	Trevor Gross, nouveau, dri-devel, rust-for-linux

On Sat, 24 Jan 2026 18:18:28 -0500
Joel Fernandes <joelagnelf@nvidia.com> wrote:

> Use checked_add() when computing the end offset in the frombytes_at()
> helper function. This function is called with firmware-provided offsets.
> 
> Signed-off-by: Joel Fernandes <joelagnelf@nvidia.com>
> ---
>  drivers/gpu/nova-core/firmware/booter.rs | 3 ++-
>  1 file changed, 2 insertions(+), 1 deletion(-)
> 
> diff --git a/drivers/gpu/nova-core/firmware/booter.rs
> b/drivers/gpu/nova-core/firmware/booter.rs index
> f5ad619dc055..1e2b2efe838f 100644 ---
> a/drivers/gpu/nova-core/firmware/booter.rs +++
> b/drivers/gpu/nova-core/firmware/booter.rs @@ -43,8 +43,9 @@
>  /// Local convenience function to return a copy of `S` by
> reinterpreting the bytes starting at /// `offset` in `slice`.
>  fn frombytes_at<S: FromBytes + Sized>(slice: &[u8], offset: usize) ->
> Result<S> {
> +    let end = offset.checked_add(size_of::<S>()).ok_or(EINVAL)?;
>      slice
> -        .get(offset..offset + size_of::<S>())
> +        .get(offset..end)
>          .and_then(S::from_bytes_copy)
>          .ok_or(EINVAL)
>  }

Reviewed-by: Zhi Wang <zhiw@nvidia.com>

^ permalink raw reply	[flat|nested] 13+ messages in thread

* [PATCH v1 4/5] gpu: nova-core: use checked arithmetic in BinFirmware::data
  2026-01-24 23:18 [PATCH v1 0/5] gpu: nova-core: use checked arithmetic for firmware parsing robustness Joel Fernandes
                   ` (2 preceding siblings ...)
  2026-01-24 23:18 ` [PATCH v1 3/5] gpu: nova-core: use checked arithmetic in frombytes_at helper Joel Fernandes
@ 2026-01-24 23:18 ` Joel Fernandes
  2026-01-26  8:01   ` Zhi Wang
  2026-01-24 23:18 ` [PATCH v1 5/5] gpu: nova-core: use checked arithmetic in RISC-V firmware parsing Joel Fernandes
  4 siblings, 1 reply; 13+ messages in thread
From: Joel Fernandes @ 2026-01-24 23:18 UTC (permalink / raw)
  To: linux-kernel, Danilo Krummrich, Alexandre Courbot, Alice Ryhl,
	David Airlie, Simona Vetter
  Cc: John Hubbard, Alistair Popple, Timur Tabi, Edwin Peer, Zhi Wang,
	Bjorn Helgaas, Miguel Ojeda, Alex Gaynor, Boqun Feng, Gary Guo,
	Björn Roy Baron, Benno Lossin, Andreas Hindborg,
	Trevor Gross, nouveau, dri-devel, rust-for-linux, Joel Fernandes

Use checked_add() when computing the firmware data end offset in the
BinFirmware::data() method. The data_offset and data_size fields come
from the BinHdr structure parsed from the firmware file header.

Signed-off-by: Joel Fernandes <joelagnelf@nvidia.com>
---
 drivers/gpu/nova-core/firmware.rs | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/drivers/gpu/nova-core/firmware.rs b/drivers/gpu/nova-core/firmware.rs
index 68779540aa28..4f57a270e142 100644
--- a/drivers/gpu/nova-core/firmware.rs
+++ b/drivers/gpu/nova-core/firmware.rs
@@ -394,8 +394,9 @@ fn new(fw: &'a firmware::Firmware) -> Result<Self> {
     fn data(&self) -> Option<&[u8]> {
         let fw_start = usize::from_safe_cast(self.hdr.data_offset);
         let fw_size = usize::from_safe_cast(self.hdr.data_size);
+        let fw_end = fw_start.checked_add(fw_size)?;
 
-        self.fw.get(fw_start..fw_start + fw_size)
+        self.fw.get(fw_start..fw_end)
     }
 }
 
-- 
2.34.1


^ permalink raw reply related	[flat|nested] 13+ messages in thread

* Re: [PATCH v1 4/5] gpu: nova-core: use checked arithmetic in BinFirmware::data
  2026-01-24 23:18 ` [PATCH v1 4/5] gpu: nova-core: use checked arithmetic in BinFirmware::data Joel Fernandes
@ 2026-01-26  8:01   ` Zhi Wang
  0 siblings, 0 replies; 13+ messages in thread
From: Zhi Wang @ 2026-01-26  8:01 UTC (permalink / raw)
  To: Joel Fernandes
  Cc: linux-kernel, Danilo Krummrich, Alexandre Courbot, Alice Ryhl,
	David Airlie, Simona Vetter, Alistair Popple, Bjorn Helgaas,
	Miguel Ojeda, Alex Gaynor, Boqun Feng, Gary Guo,
	Björn Roy Baron, Benno Lossin, Andreas Hindborg,
	Trevor Gross, nouveau, dri-devel, rust-for-linux

On Sat, 24 Jan 2026 18:18:29 -0500
Joel Fernandes <joelagnelf@nvidia.com> wrote:

> Use checked_add() when computing the firmware data end offset in the
> BinFirmware::data() method. The data_offset and data_size fields come
> from the BinHdr structure parsed from the firmware file header.
> 
> Signed-off-by: Joel Fernandes <joelagnelf@nvidia.com>
> ---
>  drivers/gpu/nova-core/firmware.rs | 3 ++-
>  1 file changed, 2 insertions(+), 1 deletion(-)
> 
> diff --git a/drivers/gpu/nova-core/firmware.rs
> b/drivers/gpu/nova-core/firmware.rs index 68779540aa28..4f57a270e142
> 100644 --- a/drivers/gpu/nova-core/firmware.rs
> +++ b/drivers/gpu/nova-core/firmware.rs
> @@ -394,8 +394,9 @@ fn new(fw: &'a firmware::Firmware) -> Result<Self> {
>      fn data(&self) -> Option<&[u8]> {
>          let fw_start = usize::from_safe_cast(self.hdr.data_offset);
>          let fw_size = usize::from_safe_cast(self.hdr.data_size);
> +        let fw_end = fw_start.checked_add(fw_size)?;
>  
> -        self.fw.get(fw_start..fw_start + fw_size)
> +        self.fw.get(fw_start..fw_end)
>      }
>  }
>  

Reviewed-by: Zhi Wang <zhiw@nvidia.com>

^ permalink raw reply	[flat|nested] 13+ messages in thread

* [PATCH v1 5/5] gpu: nova-core: use checked arithmetic in RISC-V firmware parsing
  2026-01-24 23:18 [PATCH v1 0/5] gpu: nova-core: use checked arithmetic for firmware parsing robustness Joel Fernandes
                   ` (3 preceding siblings ...)
  2026-01-24 23:18 ` [PATCH v1 4/5] gpu: nova-core: use checked arithmetic in BinFirmware::data Joel Fernandes
@ 2026-01-24 23:18 ` Joel Fernandes
  2026-01-26  8:01   ` Zhi Wang
  4 siblings, 1 reply; 13+ messages in thread
From: Joel Fernandes @ 2026-01-24 23:18 UTC (permalink / raw)
  To: linux-kernel, Danilo Krummrich, Alexandre Courbot, Alice Ryhl,
	David Airlie, Simona Vetter, Paul Walmsley, Palmer Dabbelt,
	Albert Ou, Alexandre Ghiti
  Cc: John Hubbard, Alistair Popple, Timur Tabi, Edwin Peer, Zhi Wang,
	Bjorn Helgaas, Miguel Ojeda, Alex Gaynor, Boqun Feng, Gary Guo,
	Björn Roy Baron, Benno Lossin, Andreas Hindborg,
	Trevor Gross, nouveau, dri-devel, rust-for-linux, Joel Fernandes,
	linux-riscv

Use checked_add() when computing offsets from firmware-provided values
in the RISC-V firmware parsing code. These values come from the BinHdr
structure parsed from the firmware file header.

Signed-off-by: Joel Fernandes <joelagnelf@nvidia.com>
---
 drivers/gpu/nova-core/firmware/riscv.rs | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/drivers/gpu/nova-core/firmware/riscv.rs b/drivers/gpu/nova-core/firmware/riscv.rs
index 28dfef63657a..97030bdd9991 100644
--- a/drivers/gpu/nova-core/firmware/riscv.rs
+++ b/drivers/gpu/nova-core/firmware/riscv.rs
@@ -47,10 +47,11 @@ impl RmRiscvUCodeDesc {
     /// Fails if the header pointed at by `bin_fw` is not within the bounds of the firmware image.
     fn new(bin_fw: &BinFirmware<'_>) -> Result<Self> {
         let offset = usize::from_safe_cast(bin_fw.hdr.header_offset);
+        let end = offset.checked_add(size_of::<Self>()).ok_or(EINVAL)?;
 
         bin_fw
             .fw
-            .get(offset..offset + size_of::<Self>())
+            .get(offset..end)
             .and_then(Self::from_bytes_copy)
             .ok_or(EINVAL)
     }
@@ -80,8 +81,9 @@ pub(crate) fn new(dev: &device::Device<device::Bound>, fw: &Firmware) -> Result<
         let ucode = {
             let start = usize::from_safe_cast(bin_fw.hdr.data_offset);
             let len = usize::from_safe_cast(bin_fw.hdr.data_size);
+            let end = start.checked_add(len).ok_or(EINVAL)?;
 
-            DmaObject::from_data(dev, fw.data().get(start..start + len).ok_or(EINVAL)?)?
+            DmaObject::from_data(dev, fw.data().get(start..end).ok_or(EINVAL)?)?
         };
 
         Ok(Self {
-- 
2.34.1


^ permalink raw reply related	[flat|nested] 13+ messages in thread

* Re: [PATCH v1 5/5] gpu: nova-core: use checked arithmetic in RISC-V firmware parsing
  2026-01-24 23:18 ` [PATCH v1 5/5] gpu: nova-core: use checked arithmetic in RISC-V firmware parsing Joel Fernandes
@ 2026-01-26  8:01   ` Zhi Wang
  0 siblings, 0 replies; 13+ messages in thread
From: Zhi Wang @ 2026-01-26  8:01 UTC (permalink / raw)
  To: Joel Fernandes
  Cc: linux-kernel, Danilo Krummrich, Alexandre Courbot, Alice Ryhl,
	David Airlie, Simona Vetter, Paul Walmsley, Palmer Dabbelt,
	Albert Ou, Alexandre Ghiti, Alistair Popple, Bjorn Helgaas,
	Miguel Ojeda, Alex Gaynor, Boqun Feng, Gary Guo,
	Björn Roy Baron, Benno Lossin, Andreas Hindborg,
	Trevor Gross, nouveau, dri-devel, rust-for-linux, linux-riscv

On Sat, 24 Jan 2026 18:18:30 -0500
Joel Fernandes <joelagnelf@nvidia.com> wrote:

> Use checked_add() when computing offsets from firmware-provided values
> in the RISC-V firmware parsing code. These values come from the BinHdr
> structure parsed from the firmware file header.
> 
> Signed-off-by: Joel Fernandes <joelagnelf@nvidia.com>
> ---
>  drivers/gpu/nova-core/firmware/riscv.rs | 6 ++++--
>  1 file changed, 4 insertions(+), 2 deletions(-)
> 
> diff --git a/drivers/gpu/nova-core/firmware/riscv.rs
> b/drivers/gpu/nova-core/firmware/riscv.rs index
> 28dfef63657a..97030bdd9991 100644 ---
> a/drivers/gpu/nova-core/firmware/riscv.rs +++
> b/drivers/gpu/nova-core/firmware/riscv.rs @@ -47,10 +47,11 @@ impl
> RmRiscvUCodeDesc { /// Fails if the header pointed at by `bin_fw` is not
> within the bounds of the firmware image. fn new(bin_fw:
> &BinFirmware<'_>) -> Result<Self> { let offset =
> usize::from_safe_cast(bin_fw.hdr.header_offset);
> +        let end = offset.checked_add(size_of::<Self>()).ok_or(EINVAL)?;
>  
>          bin_fw
>              .fw
> -            .get(offset..offset + size_of::<Self>())
> +            .get(offset..end)
>              .and_then(Self::from_bytes_copy)
>              .ok_or(EINVAL)
>      }
> @@ -80,8 +81,9 @@ pub(crate) fn new(dev: &device::Device<device::Bound>,
> fw: &Firmware) -> Result< let ucode = {
>              let start = usize::from_safe_cast(bin_fw.hdr.data_offset);
>              let len = usize::from_safe_cast(bin_fw.hdr.data_size);
> +            let end = start.checked_add(len).ok_or(EINVAL)?;
>  
> -            DmaObject::from_data(dev, fw.data().get(start..start +
> len).ok_or(EINVAL)?)?
> +            DmaObject::from_data(dev,
> fw.data().get(start..end).ok_or(EINVAL)?)? };
>  
>          Ok(Self {

Reviewed-by: Zhi Wang <zhiw@nvidia.com>

^ permalink raw reply	[flat|nested] 13+ messages in thread

end of thread, other threads:[~2026-01-26 11:00 UTC | newest]

Thread overview: 13+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-01-24 23:18 [PATCH v1 0/5] gpu: nova-core: use checked arithmetic for firmware parsing robustness Joel Fernandes
2026-01-24 23:18 ` [PATCH v1 1/5] gpu: nova-core: use checked arithmetic in FWSEC firmware parsing Joel Fernandes
2026-01-25  9:09   ` Dirk Behme
2026-01-25 15:13     ` Joel Fernandes
2026-01-24 23:18 ` [PATCH v1 2/5] gpu: nova-core: use checked arithmetic in Booter signature parsing Joel Fernandes
2026-01-26  8:08   ` Zhi Wang
2026-01-26 11:00     ` Joel Fernandes
2026-01-24 23:18 ` [PATCH v1 3/5] gpu: nova-core: use checked arithmetic in frombytes_at helper Joel Fernandes
2026-01-26  8:00   ` Zhi Wang
2026-01-24 23:18 ` [PATCH v1 4/5] gpu: nova-core: use checked arithmetic in BinFirmware::data Joel Fernandes
2026-01-26  8:01   ` Zhi Wang
2026-01-24 23:18 ` [PATCH v1 5/5] gpu: nova-core: use checked arithmetic in RISC-V firmware parsing Joel Fernandes
2026-01-26  8:01   ` Zhi Wang

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox