fix(el3-spmc): improve bound check for descriptor

Ensure that there is sufficient space in the memory
descriptor to accommodate the size of the composite memory
struct as part of the descriptor.

Signed-off-by: Marc Bonnici <marc.bonnici@arm.com>
Change-Id: Iea646b144c59a2a1a171298cabb5f31040a8af31

diff --git a/services/std_svc/spm/el3_spmc/spmc_shared_mem.c b/services/std_svc/spm/el3_spmc/spmc_shared_mem.c
index 89d7b3177e22d081acca6082d00a3e5839a2444c..bf3fb280f370729885c1cca5c5a9aa9d4fe7016f 100644 (file)
--- a/services/std_svc/spm/el3_spmc/spmc_shared_mem.c
+++ b/services/std_svc/spm/el3_spmc/spmc_shared_mem.c
@@ -385,7 +385,8 @@ spmc_shm_get_v1_1_descriptor_size(struct ffa_mtd_v1_0 *orig, size_t desc_size)
              emad_array[0].comp_mrd_offset);
 
        /* Check the calculated address is within the memory descriptor. */
-       if ((uintptr_t) mrd >= (uintptr_t)((uint8_t *) orig + desc_size)) {
+       if (((uintptr_t) mrd + sizeof(struct ffa_comp_mrd)) >
+           (uintptr_t)((uint8_t *) orig + desc_size)) {
                return 0;
        }
        size += mrd->address_range_count * sizeof(struct ffa_cons_mrd);
@@ -424,7 +425,8 @@ spmc_shm_get_v1_0_descriptor_size(struct ffa_mtd *orig, size_t desc_size)
              emad_array[0].comp_mrd_offset);
 
        /* Check the calculated address is within the memory descriptor. */
-       if ((uintptr_t) mrd >= (uintptr_t)((uint8_t *) orig + desc_size)) {
+       if (((uintptr_t) mrd + sizeof(struct ffa_comp_mrd)) >
+           (uintptr_t)((uint8_t *) orig + desc_size)) {
                return 0;
        }
        size += mrd->address_range_count * sizeof(struct ffa_cons_mrd);