Skip to content

Commit c50105d

Browse files
ayushr2gvisor-bot
ayushr2
authored and
gvisor-bot
committed
nvproxy: Add size check for NV0000_CTRL_CMD_SYSTEM_GET_BUILD_VERSION.
This change introduces a maximum size limit for the strings requested in NV0000_CTRL_CMD_SYSTEM_GET_BUILD_VERSION to prevent excessive memory allocation based on user-provided input. Reported-by: Antoni Tremblay <i00@tutanota.com> PiperOrigin-RevId: 873011768
1 parent 2ba75b9 commit c50105d

File tree

2 files changed

+14
-9
lines changed

2 files changed

+14
-9
lines changed

pkg/abi/nvgpu/ctrl.go

Lines changed: 10 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -131,15 +131,16 @@ const (
131131

132132
// From src/common/sdk/nvidia/inc/ctrl/ctrl0000/ctrl0000system.h:
133133
const (
134-
NV0000_CTRL_CMD_SYSTEM_GET_BUILD_VERSION = 0x101
135-
NV0000_CTRL_CMD_SYSTEM_GET_CPU_INFO = 0x102
136-
NV0000_CTRL_CMD_SYSTEM_GET_P2P_CAPS = 0x127
137-
NV0000_CTRL_CMD_SYSTEM_GET_P2P_CAPS_V2 = 0x12b
138-
NV0000_CTRL_CMD_SYSTEM_GET_FABRIC_STATUS = 0x136
139-
NV0000_CTRL_CMD_SYSTEM_GET_P2P_CAPS_MATRIX = 0x13a
140-
NV0000_CTRL_CMD_SYSTEM_GET_FEATURES = 0x1f0
141-
NV0000_CTRL_SYSTEM_MAX_ATTACHED_GPUS = 32
142-
NV0000_CTRL_P2P_CAPS_INDEX_TABLE_SIZE = 9
134+
NV0000_CTRL_CMD_SYSTEM_GET_BUILD_VERSION = 0x101
135+
NV0000_CTRL_CMD_SYSTEM_GET_CPU_INFO = 0x102
136+
NV0000_CTRL_CMD_SYSTEM_GET_P2P_CAPS = 0x127
137+
NV0000_CTRL_CMD_SYSTEM_GET_P2P_CAPS_V2 = 0x12b
138+
NV0000_CTRL_CMD_SYSTEM_GET_FABRIC_STATUS = 0x136
139+
NV0000_CTRL_CMD_SYSTEM_GET_P2P_CAPS_MATRIX = 0x13a
140+
NV0000_CTRL_CMD_SYSTEM_GET_FEATURES = 0x1f0
141+
NV0000_CTRL_SYSTEM_GET_BUILD_VERSION_V2_MAX_STRING_SIZE = 256
142+
NV0000_CTRL_SYSTEM_MAX_ATTACHED_GPUS = 32
143+
NV0000_CTRL_P2P_CAPS_INDEX_TABLE_SIZE = 9
143144
)
144145

145146
// NV0000_CTRL_SYSTEM_GET_P2P_CAPS_PARAMS is the param type for NV0000_CTRL_CMD_SYSTEM_GET_P2P_CAPS,

pkg/sentry/devices/nvproxy/frontend.go

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -961,6 +961,10 @@ func ctrlClientSystemGetBuildVersion(fi *frontendIoctlState, ioctlParams *nvgpu.
961961
if ctrlParams.SizeOfStrings == 0 {
962962
return 0, linuxerr.EINVAL
963963
}
964+
// The driver internally uses NV0000_CTRL_CMD_SYSTEM_GET_BUILD_VERSION_V2 to
965+
// fetch the version strings, which has a maximum string size limit. Any
966+
// extra buffer space provided by the user is ignored.
967+
ctrlParams.SizeOfStrings = min(ctrlParams.SizeOfStrings, nvgpu.NV0000_CTRL_SYSTEM_GET_BUILD_VERSION_V2_MAX_STRING_SIZE)
964968
driverVersionBuf := make([]byte, ctrlParams.SizeOfStrings)
965969
versionBuf := make([]byte, ctrlParams.SizeOfStrings)
966970
titleBuf := make([]byte, ctrlParams.SizeOfStrings)

0 commit comments

Comments
 (0)