From def7590b3e34ff69b297c239cb8948d0bdc9c691 Mon Sep 17 00:00:00 2001 From: Marc Bonnici Date: Tue, 18 Oct 2022 18:01:44 +0100 Subject: [PATCH] fix(el3-spmc): improve bound check for descriptor Ensure that there is sufficient space in the memory descriptor to accommodate the size of the composite memory struct as part of the descriptor. Signed-off-by: Marc Bonnici Change-Id: Iea646b144c59a2a1a171298cabb5f31040a8af31 --- services/std_svc/spm/el3_spmc/spmc_shared_mem.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/services/std_svc/spm/el3_spmc/spmc_shared_mem.c b/services/std_svc/spm/el3_spmc/spmc_shared_mem.c index 89d7b3177..bf3fb280f 100644 --- a/services/std_svc/spm/el3_spmc/spmc_shared_mem.c +++ b/services/std_svc/spm/el3_spmc/spmc_shared_mem.c @@ -385,7 +385,8 @@ spmc_shm_get_v1_1_descriptor_size(struct ffa_mtd_v1_0 *orig, size_t desc_size) emad_array[0].comp_mrd_offset); /* Check the calculated address is within the memory descriptor. */ - if ((uintptr_t) mrd >= (uintptr_t)((uint8_t *) orig + desc_size)) { + if (((uintptr_t) mrd + sizeof(struct ffa_comp_mrd)) > + (uintptr_t)((uint8_t *) orig + desc_size)) { return 0; } size += mrd->address_range_count * sizeof(struct ffa_cons_mrd); @@ -424,7 +425,8 @@ spmc_shm_get_v1_0_descriptor_size(struct ffa_mtd *orig, size_t desc_size) emad_array[0].comp_mrd_offset); /* Check the calculated address is within the memory descriptor. */ - if ((uintptr_t) mrd >= (uintptr_t)((uint8_t *) orig + desc_size)) { + if (((uintptr_t) mrd + sizeof(struct ffa_comp_mrd)) > + (uintptr_t)((uint8_t *) orig + desc_size)) { return 0; } size += mrd->address_range_count * sizeof(struct ffa_cons_mrd); -- 2.39.5