From c4adbe6e67617bb2d4f0ffb1c1daa3395f7ac227 Mon Sep 17 00:00:00 2001
From: Marc Bonnici <marc.bonnici@arm.com>
Date: Tue, 18 Oct 2022 13:39:48 +0100
Subject: [PATCH] fix(el3-spmc): fix incomplete reclaim validation

Ensure that the full memory transaction descriptor has been transmitted
before a request to reclaim the memory transaction is permitted.
This prevents any potential accesses to the incomplete descriptor.
Reported by Matt Oh, Google Android Red Team.

Reported-by: mattoh@google.com
Signed-off-by: Marc Bonnici <marc.bonnici@arm.com>
Change-Id: I33e993c6b754632051e899ab20edd19b18b6cf65
---
 services/std_svc/spm/el3_spmc/spmc_shared_mem.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/services/std_svc/spm/el3_spmc/spmc_shared_mem.c b/services/std_svc/spm/el3_spmc/spmc_shared_mem.c
index 1da2efc14..f7911b9b3 100644
--- a/services/std_svc/spm/el3_spmc/spmc_shared_mem.c
+++ b/services/std_svc/spm/el3_spmc/spmc_shared_mem.c
@@ -1828,6 +1828,13 @@ int spmc_ffa_mem_reclaim(uint32_t smc_fid,
 		goto err_unlock;
 	}
 
+	if (obj->desc_filled != obj->desc_size) {
+		WARN("%s: incomplete object desc filled %zu < size %zu\n",
+		     __func__, obj->desc_filled, obj->desc_size);
+		ret = FFA_ERROR_INVALID_PARAMETER;
+		goto err_unlock;
+	}
+
 	/* Allow for platform specific operations to be performed. */
 	ret = plat_spmc_shmem_reclaim(&obj->desc);
 	if (ret != 0) {
-- 
2.39.5