Commit 103e17aa authored by Sebastian Ene's avatar Sebastian Ene Committed by Marc Zyngier
Browse files

KVM: arm64: Check the untrusted offset in FF-A memory share 



Verify the offset to prevent OOB access in the hypervisor
FF-A buffer in case an untrusted large enough value
[U32_MAX - sizeof(struct ffa_composite_mem_region) + 1, U32_MAX]
is set from the host kernel.

Signed-off-by: default avatarSebastian Ene <sebastianene@google.com>
Acked-by: default avatarWill Deacon <will@kernel.org>
Link: https://patch.msgid.link/20251017075710.2605118-1-sebastianene@google.com


Signed-off-by: default avatarMarc Zyngier <maz@kernel.org>
parent f71f7afd

arch/arm64/kvm/hyp/nvhe/ffa.c

+7 −2
Original line number Diff line number Diff line
@@ -479,7 +479,7 @@ static void __do_ffa_mem_xfer(const u64 func_id, 
	struct ffa_mem_region_attributes *ep_mem_access;

	struct ffa_composite_mem_region *reg;

	struct ffa_mem_region *buf;

	u32 offset, nr_ranges;

	u32 offset, nr_ranges, checked_offset;

	int ret = 0;



	if (addr_mbz || npages_mbz || fraglen > len ||
@@ -516,7 +516,12 @@ static void __do_ffa_mem_xfer(const u64 func_id, 
		goto out_unlock;

	}



	if (fraglen < offset + sizeof(struct ffa_composite_mem_region)) {

	if (check_add_overflow(offset, sizeof(struct ffa_composite_mem_region), &checked_offset)) {

		ret = FFA_RET_INVALID_PARAMETERS;

		goto out_unlock;

	}



	if (fraglen < checked_offset) {

		ret = FFA_RET_INVALID_PARAMETERS;

		goto out_unlock;

	}