From 21ed9ea32325fc556fa7e907e4995888bd3a3b45 Mon Sep 17 00:00:00 2001 From: Marc Bonnici Date: Tue, 18 Oct 2022 13:57:16 +0100 Subject: [PATCH] fix(el3-spmc): fix location of fragment length check Ensure that the fragment_length parameter is validated to prevent a buffer overflow before it is used. Reported by Matt Oh, Google Android Red Team. Reported-by: mattoh@google.com Signed-off-by: Marc Bonnici Change-Id: I0323c096ffd988fbd85bbd4ade3abd8427aea977 --- services/std_svc/spm/el3_spmc/spmc_shared_mem.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/services/std_svc/spm/el3_spmc/spmc_shared_mem.c b/services/std_svc/spm/el3_spmc/spmc_shared_mem.c index 6f6d273d6..d4d0407c1 100644 --- a/services/std_svc/spm/el3_spmc/spmc_shared_mem.c +++ b/services/std_svc/spm/el3_spmc/spmc_shared_mem.c @@ -885,9 +885,6 @@ static long spmc_ffa_fill_desc(struct mailbox *mbox, goto err_arg; } - memcpy((uint8_t *)&obj->desc + obj->desc_filled, - (uint8_t *) mbox->tx_buffer, fragment_length); - if (fragment_length > obj->desc_size - obj->desc_filled) { WARN("%s: bad fragment size %u > %zu remaining\n", __func__, fragment_length, obj->desc_size - obj->desc_filled); @@ -895,6 +892,9 @@ static long spmc_ffa_fill_desc(struct mailbox *mbox, goto err_arg; } + memcpy((uint8_t *)&obj->desc + obj->desc_filled, + (uint8_t *) mbox->tx_buffer, fragment_length); + /* Ensure that the sender ID resides in the normal world. */ if (ffa_is_secure_world_id(obj->desc.sender_id)) { WARN("%s: Invalid sender ID 0x%x.\n", -- 2.39.5