From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-wr1-f73.google.com (mail-wr1-f73.google.com [209.85.221.73]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 2131F428465 for ; Wed, 27 May 2026 15:02:43 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.221.73 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779894167; cv=none; b=tCcrVQSo2oNOjVYae9VcWFS03Ty3aGhuUNquDv7Q2pxL6VqC1AciqIXGMTccE5yjEK/kCnoaElTa7befKeuzkbsUPEe8c4dflraDD6IjOPrNL3hfuCNj+1tKxG/tfYVNTMfHMf4cRNRk71cBW1MNnbUVQ2dK/rBMEpsIlHZSb1M= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779894167; c=relaxed/simple; bh=nVHQfEBe5Y36t7KgHNwVV7teEKw/67gXK02IHth2zZI=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=UwdKKmXpAJfsFFAl5u5X8mqvBC9/10FkB09QTgzHNb8fcPkvJOTAu2K4paROC1iVsdAH9ERzbRaMt+LTFhbAZ8RKSYtpGleHwSR0ai5QH/pC2DwDoQyxGhsXkiVu660aObL//mksLa8nTunYGj/qPZy96OYw8a2F58WHuxekzoI= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--smostafa.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=dNF1cTGL; arc=none smtp.client-ip=209.85.221.73 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--smostafa.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="dNF1cTGL" Received: by mail-wr1-f73.google.com with SMTP id ffacd0b85a97d-44a52d5e572so8157816f8f.3 for ; Wed, 27 May 2026 08:02:43 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20251104; t=1779894162; x=1780498962; darn=vger.kernel.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:from:to:cc:subject:date:message-id:reply-to; bh=4uj7BV8+9rgP0MrIxwz4V0ep9E/T0g3B6x2bWAPAPVY=; b=dNF1cTGLhXSNGX8VG3NDZat0nrKZ4dsto5b78B5LN1iuy3NUJCyv22yCYHMNEM9Mg5 a6eJgRyNU6qnScDA2MsKUV5mkGgPDttoYQ57tC4nwi51cg/FCkl5irxgERbsJNzYnZZt 0RPVkKB4XoUP52TG9wkl5Zj8T8c4R+zxHPa8JlmhpYo+VqSuIqwoS2XSu+ZvBx8FPcaK XcxptZPEVzeMFjx78LDBpXrbFhAum6PFIzDmCCD2pCVC45oc2Eg/bppZypiwDmX4oO8K h3ZDWEJYahWPACrYSDPSr73G2z9h3JlqYiz9uEpGjrsOv9VCx1Q0JzMOFQoZTnJKQctE f97g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1779894162; x=1780498962; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=4uj7BV8+9rgP0MrIxwz4V0ep9E/T0g3B6x2bWAPAPVY=; b=FJ2DJzjldVmVNMlC666OyTiOj4Wi8kG3maL490fdz00ne9pjkJp6r67xSHNp7XhCF+ hsDn4DPpdFZFRQkHhDz6crddASvERITeq021aANKRYSXZ5E7q3K/IpDRJdy2pbf4VoMn KDpnUh/MH0VLa1OZT9tkqkVB3LQYbp08lavOkXc6CZCPUyCOuOIP+KMoKcNAnRMcF2P2 8wGMqPghsjgKNHRrTD26DDpuZDYSpOQQn0de7374apwAxfe4sKfnNgRQ0seNfKrpJqE6 5C+kmCeQzNnVPBPn5yi34BcVcS7VOu7h7jxTbRbzqw7MwxE7rQumBUHU6K8YTBBDOatj EhZA== X-Forwarded-Encrypted: i=1; AFNElJ+DKWR+PI189z68pRU0XRN76rURC9q2vNof/6DhqAyhAGtD/ZkHM/70WH0vqdcO80QlY9jcGE4KwR3zvRg=@vger.kernel.org X-Gm-Message-State: AOJu0Yyjt5UjE2VOi8zfzaccNcmc72V0xZUENhAhVT6VIZhSelVNkdyw ffJQWsdzZlbDVXTQD/Ms8oYnmtbJQW8shFvODzc0brGFbfHVhAAEp6OPab1H32m1PRH1G2Ks4kP HjedwhG6FTO/Axg== X-Received: from wmmu10.prod.google.com ([2002:a05:600c:ca:b0:490:5e18:ff1c]) (user=smostafa job=prod-delivery.src-stubby-dispatcher) by 2002:a05:600d:8499:20b0:48a:5970:1fe1 with SMTP id 5b1f17b1804b1-4904248ad4cmr298003375e9.4.1779894162134; Wed, 27 May 2026 08:02:42 -0700 (PDT) Date: Wed, 27 May 2026 15:02:32 +0000 In-Reply-To: <20260527150236.1978655-1-smostafa@google.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: <20260527150236.1978655-1-smostafa@google.com> X-Mailer: git-send-email 2.54.0.746.g67dd491aae-goog Message-ID: <20260527150236.1978655-3-smostafa@google.com> Subject: [PATCH v6 2/6] firmware: arm_ffa: Fix out-of-bound writes in ffa_setup_and_transmit() From: Mostafa Saleh To: op-tee@lists.trustedfirmware.org, linux-kernel@vger.kernel.org, kvmarm@lists.linux.dev, linux-arm-kernel@lists.infradead.org Cc: maz@kernel.org, oupton@kernel.org, joey.gouly@arm.com, suzuki.poulose@arm.com, catalin.marinas@arm.com, jens.wiklander@linaro.org, sumit.garg@kernel.org, sebastianene@google.com, vdonnefort@google.com, sudeep.holla@kernel.org, Mostafa Saleh Content-Type: text/plain; charset="UTF-8" Sashiko (locally) reports multiple out-of-bound issues in ffa_setup_and_transmit: 1) Writing ep_mem_access->reserved can write out of bounds for FFA versions < 1.2 as ffa_emad_size_get() returns 16 bytes in that case while reserved has an offset of 24. Instead of zeroing fields, memset the struct to zero first based on the FFA version. 2) Make sure there is enough size to write constituents. While at it, convert the only sizeof() in the driver that uses a type instead of variable. Reviewed-by: Sudeep Holla Fixes: 111a833dc5cb ("firmware: arm_ffa: Set reserved/MBZ fields to zero in the memory descriptors") Signed-off-by: Mostafa Saleh --- drivers/firmware/arm_ffa/driver.c | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/drivers/firmware/arm_ffa/driver.c b/drivers/firmware/arm_ffa/driver.c index b9f17fda7243..059e2aae7ca0 100644 --- a/drivers/firmware/arm_ffa/driver.c +++ b/drivers/firmware/arm_ffa/driver.c @@ -715,11 +715,10 @@ ffa_setup_and_transmit(u32 func_id, void *buffer, u32 max_fragsize, for (idx = 0; idx < args->nattrs; idx++) { ep_mem_access = buffer + ffa_mem_desc_offset(buffer, idx, drv_info->version); + memset(ep_mem_access, 0, ffa_emad_size_get(drv_info->version)); ep_mem_access->receiver = args->attrs[idx].receiver; ep_mem_access->attrs = args->attrs[idx].attrs; ep_mem_access->composite_off = composite_offset; - ep_mem_access->flag = 0; - ep_mem_access->reserved = 0; ffa_emad_impdef_value_init(drv_info->version, ep_mem_access->impdef_val, args->attrs[idx].impdef_val); @@ -759,7 +758,7 @@ ffa_setup_and_transmit(u32 func_id, void *buffer, u32 max_fragsize, constituents = buffer; } - if ((void *)constituents - buffer > max_fragsize) { + if ((void *)constituents + sizeof(*constituents) - buffer > max_fragsize) { pr_err("Memory Region Fragment > Tx Buffer size\n"); return -EFAULT; } @@ -768,7 +767,7 @@ ffa_setup_and_transmit(u32 func_id, void *buffer, u32 max_fragsize, constituents->pg_cnt = args->sg->length / FFA_PAGE_SIZE; constituents->reserved = 0; constituents++; - frag_len += sizeof(struct ffa_mem_region_addr_range); + frag_len += sizeof(*constituents); } while ((args->sg = sg_next(args->sg))); return ffa_transmit_fragment(func_id, addr, buf_sz, frag_len, -- 2.54.0.746.g67dd491aae-goog