From: Greg KH <gregkh@linuxfoundation.org>
To: Sasha Levin <sashal@kernel.org>
Cc: stable@vger.kernel.org, Sebastian Ene <sebastianene@google.com>,
Will Deacon <will@kernel.org>, Marc Zyngier <maz@kernel.org>
Subject: Re: [PATCH 6.6.y] KVM: arm64: Check the untrusted offset in FF-A memory share
Date: Mon, 24 Nov 2025 15:50:45 +0100 [thread overview]
Message-ID: <2025112405-campus-flatworm-25a5@gregkh> (raw)
In-Reply-To: <20251124141134.4098048-1-sashal@kernel.org>
On Mon, Nov 24, 2025 at 09:11:34AM -0500, Sasha Levin wrote:
> From: Sebastian Ene <sebastianene@google.com>
>
> [ Upstream commit 103e17aac09cdd358133f9e00998b75d6c1f1518 ]
>
> Verify the offset to prevent OOB access in the hypervisor
> FF-A buffer in case an untrusted large enough value
> [U32_MAX - sizeof(struct ffa_composite_mem_region) + 1, U32_MAX]
> is set from the host kernel.
>
> Signed-off-by: Sebastian Ene <sebastianene@google.com>
> Acked-by: Will Deacon <will@kernel.org>
> Link: https://patch.msgid.link/20251017075710.2605118-1-sebastianene@google.com
> Signed-off-by: Marc Zyngier <maz@kernel.org>
> Signed-off-by: Sasha Levin <sashal@kernel.org>
> ---
> arch/arm64/kvm/hyp/nvhe/ffa.c | 9 +++++++--
> 1 file changed, 7 insertions(+), 2 deletions(-)
>
> diff --git a/arch/arm64/kvm/hyp/nvhe/ffa.c b/arch/arm64/kvm/hyp/nvhe/ffa.c
> index 8d21ab904f1a9..eacf4ba1d88e9 100644
> --- a/arch/arm64/kvm/hyp/nvhe/ffa.c
> +++ b/arch/arm64/kvm/hyp/nvhe/ffa.c
> @@ -425,7 +425,7 @@ static void __do_ffa_mem_xfer(const u64 func_id,
> DECLARE_REG(u32, npages_mbz, ctxt, 4);
> struct ffa_composite_mem_region *reg;
> struct ffa_mem_region *buf;
> - u32 offset, nr_ranges;
> + u32 offset, nr_ranges, checked_offset;
> int ret = 0;
>
> if (addr_mbz || npages_mbz || fraglen > len ||
> @@ -460,7 +460,12 @@ static void __do_ffa_mem_xfer(const u64 func_id,
> goto out_unlock;
> }
>
> - if (fraglen < offset + sizeof(struct ffa_composite_mem_region)) {
> + if (check_add_overflow(offset, sizeof(struct ffa_composite_mem_region), &checked_offset)) {
> + ret = FFA_RET_INVALID_PARAMETERS;
> + goto out_unlock;
> + }
I was told that a "straight" backport like this was not correct, so we
need a "better" one :(
Sebastian, can you provide the correct backport for 6.6.y please?
thanks,
greg k-h
next prev parent reply other threads:[~2025-11-24 14:50 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-11-24 10:52 FAILED: patch "[PATCH] KVM: arm64: Check the untrusted offset in FF-A memory share" failed to apply to 6.6-stable tree gregkh
2025-11-24 14:11 ` [PATCH 6.6.y] KVM: arm64: Check the untrusted offset in FF-A memory share Sasha Levin
2025-11-24 14:50 ` Greg KH [this message]
2025-11-24 15:00 ` Sebastian Ene
2025-11-24 15:19 ` Sasha Levin
2025-11-24 15:56 ` Greg KH
2025-11-24 19:53 ` Sebastian Ene
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2025112405-campus-flatworm-25a5@gregkh \
--to=gregkh@linuxfoundation.org \
--cc=maz@kernel.org \
--cc=sashal@kernel.org \
--cc=sebastianene@google.com \
--cc=stable@vger.kernel.org \
--cc=will@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.