[PATCH v2 08/11] firmware: arm_ffa: Validate framework notification message layout

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

From: Sudeep Holla <sudeep.holla@kernel.org>
To: linux-kernel@vger.kernel.org, linux-arm-kernel@lists.infradead.org
Cc: Jens Wiklander <jens.wiklander@linaro.org>,
	 Sudeep Holla <sudeep.holla@kernel.org>
Subject: [PATCH v2 08/11] firmware: arm_ffa: Validate framework notification message layout
Date: Tue, 28 Apr 2026 19:33:32 +0100	[thread overview]
Message-ID: <20260428-ffa_fixes-v2-8-8595ae450034@kernel.org> (raw)
In-Reply-To: <20260428-ffa_fixes-v2-0-8595ae450034@kernel.org>

Framework notifications carry an indirect message in the shared RX
buffer. Validate the reported offset and size before using them, reject
zero-length payloads, and ensure that any non-header payload starts at
the UUID field rather than in the middle of the message header.

Use the validated offset and size values for both kmemdup() and the UUID
parsing path so malformed firmware data cannot drive an out-of-bounds
read or an oversized allocation.

Fixes: 285a5ea0f542 ("firmware: arm_ffa: Add support for handling framework notifications")
Signed-off-by: Sudeep Holla <sudeep.holla@kernel.org>
---
 drivers/firmware/arm_ffa/driver.c | 18 ++++++++++++++++--
 1 file changed, 16 insertions(+), 2 deletions(-)

diff --git a/drivers/firmware/arm_ffa/driver.c b/drivers/firmware/arm_ffa/driver.c
index 18bcbd161805..4944aa6b815f 100644
--- a/drivers/firmware/arm_ffa/driver.c
+++ b/drivers/firmware/arm_ffa/driver.c
@@ -1489,21 +1489,35 @@ static void handle_fwk_notif_callbacks(u32 bitmap)
 	int notify_id = 0, target;
 	struct ffa_indirect_msg_hdr *msg;
 	struct notifier_cb_info *cb_info = NULL;
+	size_t min_offset = offsetof(struct ffa_indirect_msg_hdr, uuid);
 
 	/* Only one framework notification defined and supported for now */
 	if (!(bitmap & FRAMEWORK_NOTIFY_RX_BUFFER_FULL))
 		return;
 
 	scoped_guard(mutex, &drv_info->rx_lock) {
+		u32 offset, size;
+
 		msg = drv_info->rx_buffer;
-		buf = kmemdup((void *)msg + msg->offset, msg->size, GFP_KERNEL);
+		offset = msg->offset;
+		size = msg->size;
+
+		if (!size || (offset != min_offset && offset < sizeof(*msg)) ||
+		    offset > drv_info->rxtx_bufsz ||
+		    size > drv_info->rxtx_bufsz - offset) {
+			pr_err("invalid framework notification message\n");
+			ffa_rx_release();
+			return;
+		}
+
+		buf = kmemdup((void *)msg + offset, size, GFP_KERNEL);
 		if (!buf) {
 			ffa_rx_release();
 			return;
 		}
 
 		target = SENDER_ID(msg->send_recv_id);
-		if (msg->offset >= sizeof(*msg))
+		if (offset >= sizeof(*msg))
 			uuid_copy(&uuid, &msg->uuid);
 		else
 			uuid_copy(&uuid, &uuid_null);

-- 
2.43.0

next prev parent reply	other threads:[~2026-04-28 18:33 UTC|newest]

Thread overview: 12+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-04-28 18:33 [PATCH v2 00/11] firmware: arm_ffa: Fix cleanup, notification, and discovery paths Sudeep Holla
2026-04-28 18:33 ` [PATCH v2 01/11] firmware: arm_ffa: Check for NULL FF-A ID table while driver registration Sudeep Holla
2026-04-28 18:33 ` [PATCH v2 02/11] firmware: arm_ffa: Skip free_pages on RX buffer alloc failure Sudeep Holla
2026-04-28 18:33 ` [PATCH v2 03/11] firmware: arm_ffa: Avoid collapsing NPI work from different CPUs Sudeep Holla
2026-04-28 18:33 ` [PATCH v2 04/11] firmware: arm_ffa: Fix per-vcpu self notifications handling in workqueue Sudeep Holla
2026-04-28 18:33 ` [PATCH v2 05/11] firmware: arm_ffa: Unregister bus notifier on teardown for FF-A v1.0 Sudeep Holla
2026-04-28 18:33 ` [PATCH v2 06/11] firmware: arm_ffa: Bound PARTITION_INFO_GET_REGS copies Sudeep Holla
2026-04-28 18:33 ` [PATCH v2 07/11] firmware: arm_ffa: Keep framework RX release under lock Sudeep Holla
2026-04-28 18:33 ` Sudeep Holla [this message]
2026-04-28 18:33 ` [PATCH v2 09/11] firmware: arm_ffa: Align RxTx buffer size before mapping Sudeep Holla
2026-04-28 18:33 ` [PATCH v2 10/11] firmware: arm_ffa: Snapshot notifier callbacks under lock Sudeep Holla
2026-04-28 18:33 ` [PATCH v2 11/11] firmware: arm_ffa: Fix sched-recv callback partition lookup Sudeep Holla

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:18bcbd16180 dfblob:4944aa6b815 )
 OR (
bs:"[PATCH v2 08/11] firmware: arm_ffa: Validate framework notification message layout" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260428-ffa_fixes-v2-8-8595ae450034@kernel.org \
    --to=sudeep.holla@kernel.org \
    --cc=jens.wiklander@linaro.org \
    --cc=linux-arm-kernel@lists.infradead.org \
    --cc=linux-kernel@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox