From: Marc Zyngier <maz@kernel.org>
To: Mostafa Saleh <smostafa@google.com>
Cc: op-tee@lists.trustedfirmware.org, linux-kernel@vger.kernel.org,
kvmarm@lists.linux.dev, linux-arm-kernel@lists.infradead.org,
oupton@kernel.org, joey.gouly@arm.com, suzuki.poulose@arm.com,
catalin.marinas@arm.com, jens.wiklander@linaro.org,
sumit.garg@kernel.org, sebastianene@google.com,
vdonnefort@google.com, sudeep.holla@kernel.org
Subject: Re: [PATCH v4 4/5] KVM: arm64: Fix bounds checking in do_ffa_mem_reclaim()
Date: Thu, 21 May 2026 13:12:51 +0100 [thread overview]
Message-ID: <86h5o1vu4c.wl-maz@kernel.org> (raw)
In-Reply-To: <CAFgf54qpNVvzSiV89g12-4jWeacm=06LMjCooeU1Mt+3sqWDLQ@mail.gmail.com>
On Thu, 21 May 2026 11:43:58 +0100,
Mostafa Saleh <smostafa@google.com> wrote:
>
> On Thu, May 21, 2026 at 11:30 AM Mostafa Saleh <smostafa@google.com> wrote:
> >
> > Hi Marc,
> >
> > On Thu, May 21, 2026 at 09:28:46AM +0100, Marc Zyngier wrote:
> > > On Wed, 20 May 2026 21:49:47 +0100,
> > > Mostafa Saleh <smostafa@google.com> wrote:
> > > >
> > > > Sashiko (locally) reports out of bound write possiblity if SPMD
> > > > returns an invalid data.
> > > >
> > > > While SPMD is considered trusted, pKVM does some basic checks,
> > > > for offset to be less than or equal len.
> > > >
> > > > However, that is incorrect as even if the offset is smaller than
> > > > len pKVM can still access out of bound memory in the next
> > > > ffa_host_unshare_ranges().
> > > >
> > > > Split this check into 2:
> > > > 1- Check that the fixed portion of the descriptor fits.
> > > > 2- After getting reg, check the variable array size addr_range_cnt
> > > > fits.
> > > >
> > > > Signed-off-by: Mostafa Saleh <smostafa@google.com>
> > > > ---
> > > > arch/arm64/kvm/hyp/nvhe/ffa.c | 7 ++++++-
> > > > 1 file changed, 6 insertions(+), 1 deletion(-)
> > > >
> > > > diff --git a/arch/arm64/kvm/hyp/nvhe/ffa.c b/arch/arm64/kvm/hyp/nvhe/ffa.c
> > > > index 1af722771178..e6aa2bfa63b1 100644
> > > > --- a/arch/arm64/kvm/hyp/nvhe/ffa.c
> > > > +++ b/arch/arm64/kvm/hyp/nvhe/ffa.c
> > > > @@ -607,7 +607,7 @@ static void do_ffa_mem_reclaim(struct arm_smccc_1_2_regs *res,
> > > > * check that we end up with something that doesn't look _completely_
> > > > * bogus.
> > > > */
> > > > - if (WARN_ON(offset > len ||
> > > > + if (WARN_ON(offset + CONSTITUENTS_OFFSET(0) > len ||
> > > > fraglen > KVM_FFA_MBOX_NR_PAGES * PAGE_SIZE)) {
> > >
> > > Do you really want to keep this a WARN_ON(), given that this results
> > > in a panic in most pKVM configurations?
> >
> > Which kind of configuration will that check fail on?
> > Does that mean at the moment pKVM does out-of-bound access for
> > the header?
> >
> I might have misunderstood the point. I thought you meant the new
> change would cause a panic on most configurations, or were you
> suggesting just removing the WARN_ON?
Just dropping the WARN_ON(), because for most users, that means just
killing the machine (only configurations with debug will give you a
stack trace).
> I can do that, I just updated the current faulty check and left the
> WARN_ON as is.
I'd be all for that.
Thanks,
M.
--
Without deviation from the norm, progress is not possible.
WARNING: multiple messages have this Message-ID (diff)
From: Marc Zyngier via OP-TEE <op-tee@lists.trustedfirmware.org>
To: Mostafa Saleh <smostafa@google.com>
Cc: op-tee@lists.trustedfirmware.org, linux-kernel@vger.kernel.org,
kvmarm@lists.linux.dev, linux-arm-kernel@lists.infradead.org,
oupton@kernel.org, joey.gouly@arm.com, suzuki.poulose@arm.com,
catalin.marinas@arm.com, sumit.garg@kernel.org,
sebastianene@google.com, vdonnefort@google.com,
sudeep.holla@kernel.org
Subject: Re: [PATCH v4 4/5] KVM: arm64: Fix bounds checking in do_ffa_mem_reclaim()
Date: Thu, 21 May 2026 13:12:51 +0100 [thread overview]
Message-ID: <86h5o1vu4c.wl-maz@kernel.org> (raw)
In-Reply-To: <CAFgf54qpNVvzSiV89g12-4jWeacm=06LMjCooeU1Mt+3sqWDLQ@mail.gmail.com>
On Thu, 21 May 2026 11:43:58 +0100,
Mostafa Saleh <smostafa@google.com> wrote:
>
> On Thu, May 21, 2026 at 11:30 AM Mostafa Saleh <smostafa@google.com> wrote:
> >
> > Hi Marc,
> >
> > On Thu, May 21, 2026 at 09:28:46AM +0100, Marc Zyngier wrote:
> > > On Wed, 20 May 2026 21:49:47 +0100,
> > > Mostafa Saleh <smostafa@google.com> wrote:
> > > >
> > > > Sashiko (locally) reports out of bound write possiblity if SPMD
> > > > returns an invalid data.
> > > >
> > > > While SPMD is considered trusted, pKVM does some basic checks,
> > > > for offset to be less than or equal len.
> > > >
> > > > However, that is incorrect as even if the offset is smaller than
> > > > len pKVM can still access out of bound memory in the next
> > > > ffa_host_unshare_ranges().
> > > >
> > > > Split this check into 2:
> > > > 1- Check that the fixed portion of the descriptor fits.
> > > > 2- After getting reg, check the variable array size addr_range_cnt
> > > > fits.
> > > >
> > > > Signed-off-by: Mostafa Saleh <smostafa@google.com>
> > > > ---
> > > > arch/arm64/kvm/hyp/nvhe/ffa.c | 7 ++++++-
> > > > 1 file changed, 6 insertions(+), 1 deletion(-)
> > > >
> > > > diff --git a/arch/arm64/kvm/hyp/nvhe/ffa.c b/arch/arm64/kvm/hyp/nvhe/ffa.c
> > > > index 1af722771178..e6aa2bfa63b1 100644
> > > > --- a/arch/arm64/kvm/hyp/nvhe/ffa.c
> > > > +++ b/arch/arm64/kvm/hyp/nvhe/ffa.c
> > > > @@ -607,7 +607,7 @@ static void do_ffa_mem_reclaim(struct arm_smccc_1_2_regs *res,
> > > > * check that we end up with something that doesn't look _completely_
> > > > * bogus.
> > > > */
> > > > - if (WARN_ON(offset > len ||
> > > > + if (WARN_ON(offset + CONSTITUENTS_OFFSET(0) > len ||
> > > > fraglen > KVM_FFA_MBOX_NR_PAGES * PAGE_SIZE)) {
> > >
> > > Do you really want to keep this a WARN_ON(), given that this results
> > > in a panic in most pKVM configurations?
> >
> > Which kind of configuration will that check fail on?
> > Does that mean at the moment pKVM does out-of-bound access for
> > the header?
> >
> I might have misunderstood the point. I thought you meant the new
> change would cause a panic on most configurations, or were you
> suggesting just removing the WARN_ON?
Just dropping the WARN_ON(), because for most users, that means just
killing the machine (only configurations with debug will give you a
stack trace).
> I can do that, I just updated the current faulty check and left the
> WARN_ON as is.
I'd be all for that.
Thanks,
M.
--
Without deviation from the norm, progress is not possible.
next prev parent reply other threads:[~2026-05-21 12:12 UTC|newest]
Thread overview: 24+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-20 20:49 [PATCH v4 0/5] arm_ffa, KVM: Fix FF-A emad offset calculations Mostafa Saleh
2026-05-20 20:49 ` Mostafa Saleh via OP-TEE
2026-05-20 20:49 ` [PATCH v4 1/5] optee: ffa: Add NULL check in optee_ffa_lend_protmem Mostafa Saleh
2026-05-20 20:49 ` Mostafa Saleh via OP-TEE
2026-05-20 20:49 ` [PATCH v4 2/5] firmware: arm_ffa: Fix out-of-bound writes in ffa_setup_and_transmit() Mostafa Saleh
2026-05-20 20:49 ` Mostafa Saleh via OP-TEE
2026-05-21 12:51 ` Sudeep Holla
2026-05-21 12:51 ` Sudeep Holla via OP-TEE
2026-05-20 20:49 ` [PATCH v4 3/5] firmware: arm_ffa: Fix Endpoint Memory Access Descriptor offset calculation Mostafa Saleh
2026-05-20 20:49 ` Mostafa Saleh via OP-TEE
2026-05-21 12:55 ` Sudeep Holla
2026-05-21 12:55 ` Sudeep Holla via OP-TEE
2026-05-20 20:49 ` [PATCH v4 4/5] KVM: arm64: Fix bounds checking in do_ffa_mem_reclaim() Mostafa Saleh
2026-05-20 20:49 ` Mostafa Saleh via OP-TEE
2026-05-21 8:28 ` Marc Zyngier via OP-TEE
2026-05-21 8:28 ` Marc Zyngier
2026-05-21 10:30 ` Mostafa Saleh
2026-05-21 10:30 ` Mostafa Saleh via OP-TEE
2026-05-21 10:43 ` Mostafa Saleh
2026-05-21 10:43 ` Mostafa Saleh via OP-TEE
2026-05-21 12:12 ` Marc Zyngier [this message]
2026-05-21 12:12 ` Marc Zyngier via OP-TEE
2026-05-20 20:49 ` [PATCH v4 5/5] KVM: arm64: Validate the offset to the mem access descriptor Mostafa Saleh
2026-05-20 20:49 ` Mostafa Saleh via OP-TEE
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=86h5o1vu4c.wl-maz@kernel.org \
--to=maz@kernel.org \
--cc=catalin.marinas@arm.com \
--cc=jens.wiklander@linaro.org \
--cc=joey.gouly@arm.com \
--cc=kvmarm@lists.linux.dev \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-kernel@vger.kernel.org \
--cc=op-tee@lists.trustedfirmware.org \
--cc=oupton@kernel.org \
--cc=sebastianene@google.com \
--cc=smostafa@google.com \
--cc=sudeep.holla@kernel.org \
--cc=sumit.garg@kernel.org \
--cc=suzuki.poulose@arm.com \
--cc=vdonnefort@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.