drm/nouveau/acr: Fix undefined behavior in nvkm_acr_hsfw_load_bl()

In nvkm_acr_hsfw_load_bl(), the return value of kmalloc() is directly
passed to memcpy(), which could lead to undefined behavior on failure
of kmalloc().

Fix this bug by using kmemdup() instead of kmalloc()+memcpy().

This bug was found by a static analyzer.

Builds with 'make allyesconfig' show no new warnings,
and our static analyzer no longer warns about this code.

Fixes: 22dcda45a3d1 ("drm/nouveau/acr: implement new subdev to replace "secure boot"")
Signed-off-by: Zhou Qingyang <zhou1615@umn.edu>
Reviewed-by: Lyude Paul <lyude@redhat.com>
Signed-off-by: Lyude Paul <lyude@redhat.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20220124165856.57022-1-zhou1615@umn.edu

diff --git a/drivers/gpu/drm/nouveau/nvkm/subdev/acr/hsfw.c b/drivers/gpu/drm/nouveau/nvkm/subdev/acr/hsfw.c
index 667fa016496eeb11e61b774f8db98bb9565829b3..a6ea89a5d51ab90806de88908bb7e7d961412c3b 100644 (file)
--- a/drivers/gpu/drm/nouveau/nvkm/subdev/acr/hsfw.c
+++ b/drivers/gpu/drm/nouveau/nvkm/subdev/acr/hsfw.c
@@ -142,11 +142,12 @@ nvkm_acr_hsfw_load_bl(struct nvkm_acr *acr, const char *name, int ver,
 
        hsfw->imem_size = desc->code_size;
        hsfw->imem_tag = desc->start_tag;
-       hsfw->imem = kmalloc(desc->code_size, GFP_KERNEL);
-       memcpy(hsfw->imem, data + desc->code_off, desc->code_size);
-
+       hsfw->imem = kmemdup(data + desc->code_off, desc->code_size, GFP_KERNEL);
        nvkm_firmware_put(fw);
-       return 0;
+       if (!hsfw->imem)
+               return -ENOMEM;
+       else
+               return 0;
 }
 
 int