nvproxy: stop validating client-supplied NVOS64_PARAMETERS.ParamsSize on alloc#13547
Open
copybara-service[bot] wants to merge 1 commit into
Open
nvproxy: stop validating client-supplied NVOS64_PARAMETERS.ParamsSize on alloc#13547copybara-service[bot] wants to merge 1 commit into
copybara-service[bot] wants to merge 1 commit into
Conversation
copybara-service
Bot
force-pushed
the
test/cl936761308
branch
2 times, most recently
from
2727a2f to
54b0596
Compare
… on alloc The NV_ESC_RM_ALLOC handlers rejected allocations whose NVOS64_PARAMETERS.ParamsSize did not equal the size of nvproxy's struct for the allocation class. This is incorrect: the NVIDIA kernel driver ignores the client-supplied ParamsSize entirely and derives the parameter size from the class itself. See src/nvidia/src/kernel/rmapi/alloc_free.c:serverAllocApiCopyIn(), which initializes the copy size to 0 and sets it via rmapiParamsCopyInit() => rmapiGetClassAllocParamSize() (src/nvidia/src/kernel/rmapi/resource_desc.c), reading RsResInfoByExternalClassId(hClass)->allocParamSize. The user's ParamsSize is never compared against it, so clients may legitimately pass ParamsSize == 0 (or any other value) and the allocation still succeeds. This broke NV_IMEX_SESSION (class 0x000000f1): nvidia-imex passes a ParamsSize that differs from sizeof(NV00F1_ALLOCATION_PARAMETERS), and nvproxy returned EINVAL where the host driver would have succeeded. The check was added for NV_IMEX_SESSION and NV_MEMORY_MULTICAST_FABRIC in commit 69b0b74 ("nvproxy: translate pOsEvent FD for NV_MEMORY_MULTICAST_FABRIC allocations"). rmAllocSimpleParams() carried a pre-existing variant of the same check; it avoided breakage only because of its "ParamsSize != 0" guard, but would still have wrongly rejected a non-zero mismatching size from a differing client ABI revision. Drop the check from rmAllocSimpleParams(), rmAllocIMEXSession(), and rmAllocMulticastFabric(). nvproxy copies in the fixed-size struct for the class regardless of ParamsSize, so there is no buffer-safety reason to validate it. The NV_ESC_RM_CONTROL (NVOS54) ParamsSize checks are left unchanged, since control commands carry a client-specified parameter size that the driver does honor. PiperOrigin-RevId: 936761308
copybara-service
Bot
force-pushed
the
test/cl936761308
branch
from
54b0596 to
51a4d27
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
nvproxy: stop validating client-supplied NVOS64_PARAMETERS.ParamsSize on alloc
The NV_ESC_RM_ALLOC handlers rejected allocations whose
NVOS64_PARAMETERS.ParamsSize did not equal the size of nvproxy's struct
for the allocation class. This is incorrect: the NVIDIA kernel driver
ignores the client-supplied ParamsSize entirely and derives the
parameter size from the class itself. See
src/nvidia/src/kernel/rmapi/alloc_free.c:serverAllocApiCopyIn(), which
initializes the copy size to 0 and sets it via rmapiParamsCopyInit() =>
rmapiGetClassAllocParamSize() (src/nvidia/src/kernel/rmapi/resource_desc.c),
reading RsResInfoByExternalClassId(hClass)->allocParamSize. The user's
ParamsSize is never compared against it, so clients may legitimately pass
ParamsSize == 0 (or any other value) and the allocation still succeeds.
This broke NV_IMEX_SESSION (class 0x000000f1): nvidia-imex passes a
ParamsSize that differs from sizeof(NV00F1_ALLOCATION_PARAMETERS), and
nvproxy returned EINVAL where the host driver would have succeeded.
The check was added for NV_IMEX_SESSION and NV_MEMORY_MULTICAST_FABRIC in
commit 69b0b74 ("nvproxy: translate pOsEvent FD for
NV_MEMORY_MULTICAST_FABRIC allocations"). rmAllocSimpleParams() carried a
pre-existing variant of the same check; it avoided breakage only because
of its "ParamsSize != 0" guard, but would still have wrongly rejected a
non-zero mismatching size from a differing client ABI revision.
Drop the check from rmAllocSimpleParams(), rmAllocIMEXSession(), and
rmAllocMulticastFabric(). nvproxy copies in the fixed-size struct for the
class regardless of ParamsSize, so there is no buffer-safety reason to
validate it. The NV_ESC_RM_CONTROL (NVOS54) ParamsSize checks are left
unchanged, since control commands carry a client-specified parameter size
that the driver does honor.