From: sashiko-bot@kernel.org
To: "Pankaj Gupta" <pankaj.gupta@nxp.com>
Cc: imx@lists.linux.dev, Frank.Li@kernel.org
Subject: Re: [PATCH -next] firmware: imx: secure-enclave: drop invalid overflow check in iobuf setup
Date: Thu, 14 May 2026 17:26:07 +0000 [thread overview]
Message-ID: <20260514172607.DB36EC2BCB3@smtp.kernel.org> (raw)
In-Reply-To: <20260514090321.2186877-1-pankaj.gupta@nxp.com>
Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
- [Critical] Removing the `io.length > SIZE_MAX - 7` check introduces an integer overflow in `round_up()` on 32-bit architectures, leading to a massive out-of-bounds write.
--
commit f1f29a6c58c5d6e658a6207ce15040a2bef1f1c1
Author: Pankaj Gupta <pankaj.gupta@nxp.com>
firmware: imx: secure-enclave: drop invalid overflow check in iobuf setup
This commit removes a check comparing io.length against SIZE_MAX - 7, as it
always evaluates to false on 64-bit systems. It instead relies on size_t-based
alignment and existing shared memory bounds validation.
Closes: https://lore.kernel.org/oe-kbuild-all/202605081441.lIHK75ug-lkp@intel.com/
> diff --git a/drivers/firmware/imx/se_ctrl.c b/drivers/firmware/imx/se_ctrl.c
> index f88e581fc147e..1683b259864f1 100644
> --- a/drivers/firmware/imx/se_ctrl.c
> +++ b/drivers/firmware/imx/se_ctrl.c
> @@ -670,11 +670,6 @@ static int se_ioctl_setup_iobuf_handler(struct se_if_device_ctx *dev_ctx,
> goto copy;
> }
>
> - if (io.length > SIZE_MAX - 7) {
> - dev_err(dev_ctx->priv->dev, "%s: Invalid buffer length.",
> - dev_ctx->devname);
> - return -EINVAL;
> - }
> aligned_len = round_up((size_t)io.length, 8);
On 32-bit platforms where size_t is 32 bits, can this round_up() overflow if
io.length is near U32_MAX?
If io.length is between 0xFFFFFFF9 and 0xFFFFFFFF, round_up() will wrap
around to 0.
If aligned_len wraps to 0, does it bypass the subsequent shared memory bounds
validation?
if (shared_mem->size < shared_mem->pos ||
aligned_len > (shared_mem->size - shared_mem->pos)) {
This appears to cause a regression where the following memset() can perform an
out-of-bounds write using the original un-rounded io.length value:
memset(shared_mem->ptr + pos, 0, io.length);
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260514090321.2186877-1-pankaj.gupta@nxp.com?part=1
prev parent reply other threads:[~2026-05-14 17:26 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-14 9:03 [PATCH -next] firmware: imx: secure-enclave: drop invalid overflow check in iobuf setup Pankaj Gupta
2026-05-14 17:26 ` sashiko-bot [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260514172607.DB36EC2BCB3@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=Frank.Li@kernel.org \
--cc=imx@lists.linux.dev \
--cc=pankaj.gupta@nxp.com \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox