From 7b5740102144eefef9869943f88f3a6e5328cbf9 Mon Sep 17 00:00:00 2001 From: Sebastian Ene Date: Fri, 8 Aug 2025 11:20:38 +0000 Subject: [PATCH] ANDROID: KVM: Verify the constituents offset in the guest FF-A Prevent the guest from sharing an out of bounds IPA address with FF-A when the constituent number exceeds the maximum allowed size. Bug: 436351242 Change-Id: Ic0caf2414690e2b495458b227076bbc170646985 Signed-off-by: Sebastian Ene --- arch/arm64/kvm/hyp/nvhe/ffa.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/arch/arm64/kvm/hyp/nvhe/ffa.c b/arch/arm64/kvm/hyp/nvhe/ffa.c index 1f06bd5d9885..feaba59af32e 100644 --- a/arch/arm64/kvm/hyp/nvhe/ffa.c +++ b/arch/arm64/kvm/hyp/nvhe/ffa.c @@ -728,7 +728,7 @@ static int ffa_guest_share_ranges(struct ffa_mem_region_addr_range *ranges, struct ffa_mem_region_addr_range *buf = out_region->constituents; int i, j, ret; u32 mem_region_idx = 0; - u64 ipa, pa; + u64 ipa, pa, offset; for (i = 0; i < nranges; i++) { range = &ranges[i]; @@ -738,7 +738,12 @@ static int ffa_guest_share_ranges(struct ffa_mem_region_addr_range *ranges, goto unshare; } - ipa = range->address + PAGE_SIZE * j; + if (check_mul_overflow(j, PAGE_SIZE, &offset) || + check_add_overflow(range->address, offset, &ipa)) { + ret = -EINVAL; + goto unshare; + } + ret = __pkvm_guest_share_ffa_page(vcpu, ipa, &pa); if (ret) goto unshare;