summaryrefslogtreecommitdiff
path: root/services/std_svc
diff options
context:
space:
mode:
authorDemi Marie Obenour <demiobenour@gmail.com>2023-01-12 13:25:23 -0500
committerDemi Marie Obenour <demiobenour@gmail.com>2023-06-05 13:22:21 -0400
commit9526282a7d7caf3b4f933d04192429c6d70fa5bf (patch)
treebb2a0a4ef6ad8abfe77868cc69e25955cbb6847f /services/std_svc
parent2d4da8e265660ce7580219b51d5e79fd99ce1458 (diff)
refactor(el3-spmc): crash instead of reading OOB
If it is called on an invalid mtd, out-of-bounds memory reads are likely. Checks elsewhere in the code ensure that the mtd has been validated before calling this function. Change-Id: If598680a5b79e1786a6e0a213779ec80cbf37494 Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com>
Diffstat (limited to 'services/std_svc')
-rw-r--r--services/std_svc/spm/el3_spmc/spmc_shared_mem.c14
1 files changed, 10 insertions, 4 deletions
diff --git a/services/std_svc/spm/el3_spmc/spmc_shared_mem.c b/services/std_svc/spm/el3_spmc/spmc_shared_mem.c
index 9f6190792..5dc60f6ac 100644
--- a/services/std_svc/spm/el3_spmc/spmc_shared_mem.c
+++ b/services/std_svc/spm/el3_spmc/spmc_shared_mem.c
@@ -788,11 +788,17 @@ static int spmc_shmem_check_obj(struct spmc_shmem_obj *obj,
uint32_t ffa_version)
{
uint32_t comp_mrd_offset = 0;
+ if (obj->desc_filled != obj->desc_size) {
+ ERROR("BUG: %s called on incomplete object (%zu != %zu)\n",
+ __func__, obj->desc_filled, obj->desc_size);
+ panic();
+ }
- if (obj->desc.emad_count == 0U) {
- WARN("%s: unsupported attribute desc count %u.\n",
- __func__, obj->desc.emad_count);
- return -EINVAL;
+ if (spmc_validate_mtd_start(&obj->desc, ffa_version,
+ obj->desc_filled, obj->desc_size)) {
+ ERROR("BUG: %s called on object with corrupt memory region descriptor\n",
+ __func__);
+ panic();
}
for (size_t emad_num = 0; emad_num < obj->desc.emad_count; emad_num++) {
generated by cgit v1.2.3 (git 2.25.1) at 2024-07-22 23:51:51 +0000