From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-wm1-f74.google.com (mail-wm1-f74.google.com [209.85.128.74]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 816F4428474 for ; Wed, 27 May 2026 15:02:47 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.74 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779894172; cv=none; b=XCGJ3Kf4IrjNhTWtfx+BQ9LkKhk1vlj506X37DtiIu5XtMfL2tTTzwGWMpfFU/4LLo7G1nTJ4THTmnEXXHFFh1Z2R/Kkl+psrz4WlTOIDAAf9al/mKrfX/4YaTCPMYztM/Ea2JHsOnrDrMa18Mr33SnNiOt4xuWlchv2WgWJmPQ= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779894172; c=relaxed/simple; bh=15nq+W4QtQnuAmCVcxh2XcM8fl+7JmCCyFIX1NGjd4w=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=P/gAocH6Svg/CpQ6ZTGDk4038GNUm/+nmBwN4OAyCTeEMCsnhdqaCqGv/4GkNBfE7Z3s0E94FGTgFG0uLsRjktlUBl+7dWs/KComco66NxYgxjPO8oMX8TUEXek+nLy+7v5eOq/9A5bcjiZfXwRu0rxIrKnmq6pRA5N0K+lD6yQ= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--smostafa.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=tu2D/SUJ; arc=none smtp.client-ip=209.85.128.74 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--smostafa.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="tu2D/SUJ" Received: by mail-wm1-f74.google.com with SMTP id 5b1f17b1804b1-490402ae2c1so56637865e9.0 for ; Wed, 27 May 2026 08:02:47 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20251104; t=1779894165; x=1780498965; darn=vger.kernel.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:from:to:cc:subject:date:message-id:reply-to; bh=ZKy2nPJ+cV4SO6crenI0U9khbA/AjfYfGtFJYOFvACc=; b=tu2D/SUJThoE4NPX7VbX0QRiCfF1oFkZBjwdyZxRTpnd1zjn4Zm5We4e3kY4wsKNMj 1/VQ75eUsvgkfLWj7fpVZnRc6cZZmiUE4kzkAg0QF26yCkeRxkuHE60xbjiMeHo81FKg QPNat4R41uqwEnTRaLdb/ONUdDEdRMDdFJPG9XCHEWJmlJ7Jn/cLChazG+KG3x4QSzCE hTvQsGUoVWNAPnI5hh/DR0zqBtjNkdALgmUrzI3oyEyqjNeGRF6ujE0lCUsdchwFLmkx cUDt6G/flKzX/8IziqUQU+BbklNdD8Z2pUvC1DtUBpEI46VidI12bGnGmsWez2FKdwj+ QDRw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1779894165; x=1780498965; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=ZKy2nPJ+cV4SO6crenI0U9khbA/AjfYfGtFJYOFvACc=; b=PldEMUh+poZSQC/2o3gVFR2L7qkY+p05UO3zph/WewQGx2lhccCk/BJFh8F95xMUfm AwVWO/x5+yeoWlUAVMOGtfIwfjr43DTs8BFozcmoJ4Ef6i1iyTR6N0Wg7bR2sI1e5nl1 GWKFDGTIfYM1On8RtPRm5FvKXp4ioQP2wuk7oXUNy+32NY7r9jDmERWm3LMCyK8GSqeq kNBnLY4GAGDVsD5wpsf3O/dGQDoe60sVsz0LNrNCKVaUnaPAXaHPZJjf5xeHY0+Yjc4Q JTr790splXrFJnqmjJ4M0FRjAaOUAacAjkTHXv4wc4lAuFrWfrkXGQuuWkRKCsszUSkN Xrsw== X-Forwarded-Encrypted: i=1; AFNElJ8awT6uRwmPe+Z+QwK36HcYQttUhdDeyObFkLh+hG6Fn0jUehB5LqYZkDpyiPPRyBzLw1qVH+hv//AliZc=@vger.kernel.org X-Gm-Message-State: AOJu0Yx/Hhrri2xe/xIF21DI0ktYGdl3trTtswUEsi6cMTIo89yDdK+7 rgaJKyPB3zsko02dZIbYIE0fCy2lRVhoxF66LSH3zfvP+vIAh3BRGDtj0vRmhxeAHEuohPGXQLi qri8i6d3HkavCmA== X-Received: from wmon5.prod.google.com ([2002:a05:600c:4645:b0:489:1b1b:132]) (user=smostafa job=prod-delivery.src-stubby-dispatcher) by 2002:a05:600c:2a8b:b0:489:1abb:5559 with SMTP id 5b1f17b1804b1-4904226d9camr214273595e9.5.1779894165174; Wed, 27 May 2026 08:02:45 -0700 (PDT) Date: Wed, 27 May 2026 15:02:34 +0000 In-Reply-To: <20260527150236.1978655-1-smostafa@google.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: <20260527150236.1978655-1-smostafa@google.com> X-Mailer: git-send-email 2.54.0.746.g67dd491aae-goog Message-ID: <20260527150236.1978655-5-smostafa@google.com> Subject: [PATCH v6 4/6] KVM: arm64: Fix bounds checking in do_ffa_mem_reclaim() From: Mostafa Saleh To: op-tee@lists.trustedfirmware.org, linux-kernel@vger.kernel.org, kvmarm@lists.linux.dev, linux-arm-kernel@lists.infradead.org Cc: maz@kernel.org, oupton@kernel.org, joey.gouly@arm.com, suzuki.poulose@arm.com, catalin.marinas@arm.com, jens.wiklander@linaro.org, sumit.garg@kernel.org, sebastianene@google.com, vdonnefort@google.com, sudeep.holla@kernel.org, Mostafa Saleh Content-Type: text/plain; charset="UTF-8" Sashiko (locally) reports out of bound write possiblity if SPMD returns an invalid data. While SPMD is considered trusted, pKVM does some basic checks, for offset to be less than or equal len. However, that is incorrect as even if the offset is smaller than len pKVM can still access out of bound memory in the next ffa_host_unshare_ranges(). Split this check into 2: 1- Check that the fixed portion of the descriptor fits. 2- After getting reg, check the variable array size addr_range_cnt fits. Also, drop the WARN_ONs as that will panic the kernel and in the next checks there are no WARNs, so that makes it consistent. Fixes: 0a9f15fd5674 ("KVM: arm64: pkvm: Add support for fragmented FF-A descriptors") Signed-off-by: Mostafa Saleh --- arch/arm64/kvm/hyp/nvhe/ffa.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/arch/arm64/kvm/hyp/nvhe/ffa.c b/arch/arm64/kvm/hyp/nvhe/ffa.c index 1af722771178..b6cf9ad82e12 100644 --- a/arch/arm64/kvm/hyp/nvhe/ffa.c +++ b/arch/arm64/kvm/hyp/nvhe/ffa.c @@ -607,8 +607,8 @@ static void do_ffa_mem_reclaim(struct arm_smccc_1_2_regs *res, * check that we end up with something that doesn't look _completely_ * bogus. */ - if (WARN_ON(offset > len || - fraglen > KVM_FFA_MBOX_NR_PAGES * PAGE_SIZE)) { + if (offset + CONSTITUENTS_OFFSET(0) > len || + fraglen > KVM_FFA_MBOX_NR_PAGES * PAGE_SIZE) { ret = FFA_RET_ABORTED; ffa_rx_release(res); goto out_unlock; @@ -641,6 +641,11 @@ static void do_ffa_mem_reclaim(struct arm_smccc_1_2_regs *res, goto out_unlock; reg = (void *)buf + offset; + if (offset + CONSTITUENTS_OFFSET(reg->addr_range_cnt) > len) { + ret = FFA_RET_ABORTED; + goto out_unlock; + } + /* If the SPMD was happy, then we should be too. */ WARN_ON(ffa_host_unshare_ranges(reg->constituents, reg->addr_range_cnt)); -- 2.54.0.746.g67dd491aae-goog