gpu: nova-core: use checked arithmetic in Booter signature parsing

Use checked_add() when computing signature offsets from firmware- provided values in signatures_iter(). Without checked arithmetic, overflow could wrap to a small plausible offset that points to entirely wrong data. Reviewed-by: Zhi Wang <zhiw@nvidia.com> Signed-off-by: Joel Fernandes <joelagnelf@nvidia.com> Reviewed-by: Gary Guo <gary@garyguo.net> Link: https://patch.msgid.link/20260126202305.2526618-3-joelagnelf@nvidia.com [acourbot@nvidia.com: remove obvious computation comments.] Signed-off-by: Alexandre Courbot <acourbot@nvidia.com>
author: Joel Fernandes <joelagnelf@nvidia.com> 2026-01-26 15:23:02 -0500
committer: Alexandre Courbot <acourbot@nvidia.com> 2026-02-25 08:16:55 +0900
commit: 4f2609685418cc995ff6a2d558ed62214dec75dc (patch)
tree: 9de433f16ef5593ebe347637ce11cd319eff28cd
parent: 0568b376a0b13da6582bce1f2e2bbb2eae7fc266 (diff)
1 files changed, 12 insertions, 5 deletions
diff --git a/drivers/gpu/nova-core/firmware/booter.rs b/drivers/gpu/nova-core/firmware/booter.rs
index 86556cee8e67..21cd437a3c95 100644
--- a/drivers/gpu/nova-core/firmware/booter.rs
+++ b/drivers/gpu/nova-core/firmware/booter.rs
@@ -119,14 +119,21 @@ impl<'a> HsFirmwareV2<'a> {
             Some(sig_size) => {
                 let patch_sig =
                     frombytes_at::<u32>(self.fw, self.hdr.patch_sig_offset.into_safe_cast())?;
-                let signatures_start = usize::from_safe_cast(self.hdr.sig_prod_offset + patch_sig);
+
+                let signatures_start = self
+                    .hdr
+                    .sig_prod_offset
+                    .checked_add(patch_sig)
+                    .map(usize::from_safe_cast)
+                    .ok_or(EINVAL)?;
+
+                let signatures_end = signatures_start
+                    .checked_add(usize::from_safe_cast(self.hdr.sig_prod_size))
+                    .ok_or(EINVAL)?;
 
                 self.fw
                     // Get signatures range.
-                    .get(
-                        signatures_start
-                            ..signatures_start + usize::from_safe_cast(self.hdr.sig_prod_size),
-                    )
+                    .get(signatures_start..signatures_end)
                     .ok_or(EINVAL)?
                     .chunks_exact(sig_size.into_safe_cast())
             }
author	Joel Fernandes <joelagnelf@nvidia.com>	2026-01-26 15:23:02 -0500
committer	Alexandre Courbot <acourbot@nvidia.com>	2026-02-25 08:16:55 +0900
commit	4f2609685418cc995ff6a2d558ed62214dec75dc (patch)
tree	9de433f16ef5593ebe347637ce11cd319eff28cd
parent	0568b376a0b13da6582bce1f2e2bbb2eae7fc266 (diff)