From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id D484447DD49 for ; Tue, 28 Apr 2026 18:33:58 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777401238; cv=none; b=Ff1VyexbaT7d3LQfeQcv441NaZD7j3lhHcBEUVm4OjzGS/YhpRe5lo8xHluZGPW4kSicNZiTGzHTNMv5mFZwy3gn4msstlyv1sbeLmAPjyhJkjk6uiKShtF/IyIQTUdKb5sjOJXhICaFV9RCwuAk5y/6p91D0tqCovgTxtNa4gs= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777401238; c=relaxed/simple; bh=ZtF8wUA98yxBhzg89vYttX0W+hwz45ZUK1h4OgYNLN8=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=K8vLa/xD3sFJWKmX3WE2wLgN/uPlVdXkorysoB2p2bNIClf9XEKYDyhAd1lO1arTdsp+KZHW7v6ku4PPQ40i1w01GwAwUD2TLm5TSK9eLiDYBvUh3zv5swPDI0usWu5Vo1CFgeSJmg8mf1ISPcNcsfrET8T1rkQvoO+yt4fkVfA= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=oEhnX1O5; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="oEhnX1O5" Received: by smtp.kernel.org (Postfix) with ESMTPSA id CA669C2BCC7; Tue, 28 Apr 2026 18:33:57 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1777401238; bh=ZtF8wUA98yxBhzg89vYttX0W+hwz45ZUK1h4OgYNLN8=; h=From:Date:Subject:References:In-Reply-To:To:Cc:From; b=oEhnX1O5jl/aul4uv/eVhhCvSnj/eOI2cDb7FvDALf5eo9lh7O8KsK23esyn3IYbs 7tAFWHRsWUOlCfdd9WlLjFUnB2VmldEOVFQRAlGKeuHjb8lFEMCjZsFhzZVzwCL54c rpsIA+ypLsAEcG58uN6eqQtfZ5bkpDnV0Ozx0UEgVUCn4Lj2VmozY1sQehnEZknJq8 o7xVax4bxCNiTg9MXNqqv8rYPA/jy7btYadnPdb4zpeYDqZ0hEjOC4kvkpNDoHSQgG eynluTeStbtAW0MoPmRZoRW1wEtHrKyrc7TDOzvr5Z4niMp3XbywEGEcjTLuGv5c76 ZImonFAyyb5sg== From: Sudeep Holla Date: Tue, 28 Apr 2026 19:33:32 +0100 Subject: [PATCH v2 08/11] firmware: arm_ffa: Validate framework notification message layout Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit Message-Id: <20260428-ffa_fixes-v2-8-8595ae450034@kernel.org> References: <20260428-ffa_fixes-v2-0-8595ae450034@kernel.org> In-Reply-To: <20260428-ffa_fixes-v2-0-8595ae450034@kernel.org> To: linux-kernel@vger.kernel.org, linux-arm-kernel@lists.infradead.org Cc: Jens Wiklander , Sudeep Holla X-Mailer: b4 0.15.2 Framework notifications carry an indirect message in the shared RX buffer. Validate the reported offset and size before using them, reject zero-length payloads, and ensure that any non-header payload starts at the UUID field rather than in the middle of the message header. Use the validated offset and size values for both kmemdup() and the UUID parsing path so malformed firmware data cannot drive an out-of-bounds read or an oversized allocation. Fixes: 285a5ea0f542 ("firmware: arm_ffa: Add support for handling framework notifications") Signed-off-by: Sudeep Holla --- drivers/firmware/arm_ffa/driver.c | 18 ++++++++++++++++-- 1 file changed, 16 insertions(+), 2 deletions(-) diff --git a/drivers/firmware/arm_ffa/driver.c b/drivers/firmware/arm_ffa/driver.c index 18bcbd161805..4944aa6b815f 100644 --- a/drivers/firmware/arm_ffa/driver.c +++ b/drivers/firmware/arm_ffa/driver.c @@ -1489,21 +1489,35 @@ static void handle_fwk_notif_callbacks(u32 bitmap) int notify_id = 0, target; struct ffa_indirect_msg_hdr *msg; struct notifier_cb_info *cb_info = NULL; + size_t min_offset = offsetof(struct ffa_indirect_msg_hdr, uuid); /* Only one framework notification defined and supported for now */ if (!(bitmap & FRAMEWORK_NOTIFY_RX_BUFFER_FULL)) return; scoped_guard(mutex, &drv_info->rx_lock) { + u32 offset, size; + msg = drv_info->rx_buffer; - buf = kmemdup((void *)msg + msg->offset, msg->size, GFP_KERNEL); + offset = msg->offset; + size = msg->size; + + if (!size || (offset != min_offset && offset < sizeof(*msg)) || + offset > drv_info->rxtx_bufsz || + size > drv_info->rxtx_bufsz - offset) { + pr_err("invalid framework notification message\n"); + ffa_rx_release(); + return; + } + + buf = kmemdup((void *)msg + offset, size, GFP_KERNEL); if (!buf) { ffa_rx_release(); return; } target = SENDER_ID(msg->send_recv_id); - if (msg->offset >= sizeof(*msg)) + if (offset >= sizeof(*msg)) uuid_copy(&uuid, &msg->uuid); else uuid_copy(&uuid, &uuid_null); -- 2.43.0