fix(el3-spmc): fix incomplete reclaim validation

Ensure that the full memory transaction descriptor has been transmitted
before a request to reclaim the memory transaction is permitted.
This prevents any potential accesses to the incomplete descriptor.
Reported by Matt Oh, Google Android Red Team.

Reported-by: mattoh@google.com
Signed-off-by: Marc Bonnici <marc.bonnici@arm.com>
Change-Id: I33e993c6b754632051e899ab20edd19b18b6cf65

diff --git a/services/std_svc/spm/el3_spmc/spmc_shared_mem.c b/services/std_svc/spm/el3_spmc/spmc_shared_mem.c
index 1da2efc149ed36c98f4ed111e780cc7204fc47dc..f7911b9b31efaeea950bbaba7faf7f5e86ffa0e5 100644 (file)
--- a/services/std_svc/spm/el3_spmc/spmc_shared_mem.c
+++ b/services/std_svc/spm/el3_spmc/spmc_shared_mem.c
@@ -1828,6 +1828,13 @@ int spmc_ffa_mem_reclaim(uint32_t smc_fid,
                goto err_unlock;
        }
 
+       if (obj->desc_filled != obj->desc_size) {
+               WARN("%s: incomplete object desc filled %zu < size %zu\n",
+                    __func__, obj->desc_filled, obj->desc_size);
+               ret = FFA_ERROR_INVALID_PARAMETER;
+               goto err_unlock;
+       }
+
        /* Allow for platform specific operations to be performed. */
        ret = plat_spmc_shmem_reclaim(&obj->desc);
        if (ret != 0) {