core: arm: mm: fix VA overflow issue in assign_mem_va()

Fix assign_mem_va() that is missing VA limit check on 64bit machines.
This change catches the overflow at address assignation preventing TEE
to panic in a not obvious way when the out of bound address is accessed.

Signed-off-by: Khoa Hoang <admin@khoahoang.com>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

1 files changed, 12 insertions, 9 deletions

diff --git a/core/arch/arm/mm/core_mmu.c b/core/arch/arm/mm/core_mmu.c
index b6f20158..25690cd8 100644
--- a/core/arch/arm/mm/core_mmu.c
+++ b/core/arch/arm/mm/core_mmu.c
@@ -909,6 +909,14 @@ static void assign_mem_granularity(struct tee_mmap_region *memory_map)
 	}
 }
 
+static unsigned int get_va_width(void)
+{
+	if (IS_ENABLED(ARM64))
+		return 64 - __builtin_ctzll(CFG_LPAE_ADDR_SPACE_SIZE);
+	else
+		return 32;
+}
+
 static bool assign_mem_va(vaddr_t tee_ram_va,
 			  struct tee_mmap_region *memory_map)
 {
@@ -935,6 +943,8 @@ static bool assign_mem_va(vaddr_t tee_ram_va,
 			map->va = va;
 			if (ADD_OVERFLOW(va, map->size, &va))
 				return false;
+			if (IS_ENABLED(ARM64) && va >= BIT64(get_va_width()))
+				return false;
 		}
 	}
 
@@ -1006,6 +1016,8 @@ static bool assign_mem_va(vaddr_t tee_ram_va,
 			map->va = va;
 			if (ADD_OVERFLOW(va, map->size, &va))
 				return false;
+			if (IS_ENABLED(ARM64) && va >= BIT64(get_va_width()))
+				return false;
 		}
 	}
 
@@ -1032,15 +1044,6 @@ static int cmp_init_mem_map(const void *a, const void *b)
 	return rc;
 }
 
-static unsigned int get_va_width(void)
-{
-#ifdef ARM64
-	return 64 - __builtin_ctzl(CFG_LPAE_ADDR_SPACE_SIZE);
-#else
-	return 32;
-#endif
-}
-
 static bool mem_map_add_id_map(struct tee_mmap_region *memory_map,
 			       size_t num_elems, size_t *last,
 			       vaddr_t id_map_start, vaddr_t id_map_end)