| Message ID | cd5fb6b5-81fa-4a6d-b2b8-284ca704bbff@moroto.mountain (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | firmware: arm_ffa: fix memory corruption in ffa_msg_send2() | expand |
On Wed, 24 Apr 2024 14:40:43 +0300, Dan Carpenter wrote: > The "msg" pointer is a struct and msg->offset is the sizeof(*msg). The > pointer here math means the memcpy() will write outside the bounds. > Cast "msg" to a u8 pointer to fix this. > Applied to sudeep.holla/linux (for-next/ffa/updates), thanks! [1/1] firmware: arm_ffa: fix memory corruption in ffa_msg_send2() https://git.kernel.org/sudeep.holla/c/ddfade88f49d -- Regards, Sudeep
diff --git a/drivers/firmware/arm_ffa/driver.c b/drivers/firmware/arm_ffa/driver.c index 9f89ee0aaa6b..363e86936461 100644 --- a/drivers/firmware/arm_ffa/driver.c +++ b/drivers/firmware/arm_ffa/driver.c @@ -363,7 +363,7 @@ static int ffa_msg_send2(u16 src_id, u16 dst_id, void *buf, size_t sz) msg->offset = sizeof(*msg); msg->send_recv_id = src_dst_ids; msg->size = sz; - memcpy(msg + msg->offset, buf, sz); + memcpy((u8 *)msg + msg->offset, buf, sz); /* flags = 0, sender VMID = 0 works for both physical/virtual NS */ invoke_ffa_fn((ffa_value_t){
The "msg" pointer is a struct and msg->offset is the sizeof(*msg). The pointer here math means the memcpy() will write outside the bounds. Cast "msg" to a u8 pointer to fix this. Fixes: 02c19d84c7c5 ("firmware: arm_ffa: Add support for FFA_MSG_SEND2") Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org> --- drivers/firmware/arm_ffa/driver.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)