ANDROID: KVM: Verify the constituents offset in the guest FF-A
Prevent the guest from sharing an out of bounds IPA address with FF-A when the constituent number exceeds the maximum allowed size. Bug: 436351242 Change-Id: Ic0caf2414690e2b495458b227076bbc170646985 Signed-off-by: Sebastian Ene <sebastianene@google.com>
This commit is contained in:
@@ -728,7 +728,7 @@ static int ffa_guest_share_ranges(struct ffa_mem_region_addr_range *ranges,
|
||||
struct ffa_mem_region_addr_range *buf = out_region->constituents;
|
||||
int i, j, ret;
|
||||
u32 mem_region_idx = 0;
|
||||
u64 ipa, pa;
|
||||
u64 ipa, pa, offset;
|
||||
|
||||
for (i = 0; i < nranges; i++) {
|
||||
range = &ranges[i];
|
||||
@@ -738,7 +738,12 @@ static int ffa_guest_share_ranges(struct ffa_mem_region_addr_range *ranges,
|
||||
goto unshare;
|
||||
}
|
||||
|
||||
ipa = range->address + PAGE_SIZE * j;
|
||||
if (check_mul_overflow(j, PAGE_SIZE, &offset) ||
|
||||
check_add_overflow(range->address, offset, &ipa)) {
|
||||
ret = -EINVAL;
|
||||
goto unshare;
|
||||
}
|
||||
|
||||
ret = __pkvm_guest_share_ffa_page(vcpu, ipa, &pa);
|
||||
if (ret)
|
||||
goto unshare;
|
||||
|
||||
Reference in New Issue
Block a user