From patchwork Wed Apr 24 11:40:43 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Dan Carpenter X-Patchwork-Id: 13641824 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id C2A4BC4345F for ; Wed, 24 Apr 2024 12:46:19 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender: Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:MIME-Version:Message-ID:Subject:Cc:To: From:Date:Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References: List-Owner; bh=zqQkwXNKdFeR/gbHCiCHc0JjflTNCbnCtXPi089GVtw=; b=IAGhJLFGe1Zlgn 2TRSrExNGE8O6Tq9HpQNIUDnmtGn10h6xO4w5hzm9STyV3oTu/MgoJkczZvyPciLnCEGF11lmPUvZ FYOoRabUIWT9609P5AAMdg+89vVg0dlHWn/EhYWnSGZS4zAlzsAbxz65YODC8TN1kT5KVUYcStGHT +dL9jkA/bFTMhJXjfxT9lH715A0fYQyFSQqtv/0xLp7Wo/VigLtDDrlKAO9K7QUXqMHdYZFdzm3Ld 6tzL3Jh8s3s22OC1P1LuJ4vd4rQRXXNOSX7T5gaZgXkfiGAQAAiJ6Li8Ty1eeNsfFWwkT05OntpHE g0vSW7GekDZ7Bay287Zg==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.97.1 #2 (Red Hat Linux)) id 1rzc0n-000000047ix-3mgs; Wed, 24 Apr 2024 12:46:09 +0000 Received: from mail-wm1-x32f.google.com ([2a00:1450:4864:20::32f]) by bombadil.infradead.org with esmtps (Exim 4.97.1 #2 (Red Hat Linux)) id 1rzazZ-00000003wCY-1FNp for linux-arm-kernel@lists.infradead.org; Wed, 24 Apr 2024 11:40:50 +0000 Received: by mail-wm1-x32f.google.com with SMTP id 5b1f17b1804b1-41ac4cd7a1cso12685185e9.1 for ; Wed, 24 Apr 2024 04:40:48 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1713958847; x=1714563647; darn=lists.infradead.org; h=content-disposition:mime-version:message-id:subject:cc:to:from:date :from:to:cc:subject:date:message-id:reply-to; bh=i0lANIOxi5uxn7sMyfNP37wCyBCdh1cTCQaJU7DGFG0=; b=lv5n+0XyQfCpRKTOxd1ZCdYbGIVv8jgl5g2dZ9oFrPjl3plpgcvLsG10cnI2SW/oa/ gkknh2+7Tjzi6Se8diJfuRsdyI1BWCFeiAxKCm9EIW3dof+xiunvBiV4KNm7TUEHHsbV ysYj8LEgA0jgkeeGjpLKKK7fwF9ymk6Z6uJJ84MyqYC/0D+PibgP1+50AYUvoySOx1w0 orZx2+s6RKZjUqCQYUHZOwCzl133pfnXjsOv50iu1fI9hh0Su5MC3fGsjy75oPpoG7hE 8yvCO2OLCt81EOgi3s89gTAtbflCk0v0aIQcCuzEpAN7FblfDF9PAwCvyW6348jm8Flg er8w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1713958847; x=1714563647; h=content-disposition:mime-version:message-id:subject:cc:to:from:date :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=i0lANIOxi5uxn7sMyfNP37wCyBCdh1cTCQaJU7DGFG0=; b=Ua+rY6Qa+erfOC06ggTDImsUfQ+uRicfAdXb7g+wZFHJSRIj6t30wQ3GtBQeyqHZha wxLQh2/bhTSlliDXg4xIE/yhzLSudXPBHX04yBPBSnQ0CRl8mL5kUst6nwvNJBAILtlO 1LHO5DBBu19HFNolckTpo1He30aUBA7j8jci4QtxMtARQdBD27urrGp0SSVgzfRQDJZk d5Vxl9V8egRYeVjPlu6qIcfIF7a1r/osv3ifj5fW9bVViXslQ0JPOaUTkVfWRt6VwasX gSk2tYfFjDfuH+5nJrViRKqfKvLAmLwJ6Zrk8DtkAyuenV1xmrhaSafmd/JqDaMev2Z5 xPVg== X-Gm-Message-State: AOJu0YzjOdngw1DaHveVoXqYOzAmC75jBnYLTyf5jvdM+q/Igcs8RYjD KHmQlbf1sjsEYLL/RZ6lrWKkdHyUNx0PD2S97kO6+bX+5dFouGnW+lYlU9vPgA4= X-Google-Smtp-Source: AGHT+IFEpG6VVoFe2vx9Em8Wq34NxagOiwS0imQ3bplPo2B0dlfiYMxGiYckEUmIjeAACcHinXRoAw== X-Received: by 2002:a05:600c:3d88:b0:41b:417:cd6 with SMTP id bi8-20020a05600c3d8800b0041b04170cd6mr886304wmb.7.1713958846907; Wed, 24 Apr 2024 04:40:46 -0700 (PDT) Received: from localhost ([102.222.70.76]) by smtp.gmail.com with ESMTPSA id l16-20020a05600c1d1000b0041902ebc85bsm1305782wms.1.2024.04.24.04.40.46 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 24 Apr 2024 04:40:46 -0700 (PDT) Date: Wed, 24 Apr 2024 14:40:43 +0300 From: Dan Carpenter To: Sudeep Holla Cc: linux-arm-kernel@lists.infradead.org, linux-kernel@vger.kernel.org, kernel-janitors@vger.kernel.org Subject: [PATCH] firmware: arm_ffa: fix memory corruption in ffa_msg_send2() Message-ID: MIME-Version: 1.0 Content-Disposition: inline X-Mailer: git-send-email haha only kidding X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20240424_044049_356039_3B517DD2 X-CRM114-Status: GOOD ( 13.13 ) X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org The "msg" pointer is a struct and msg->offset is the sizeof(*msg). The pointer here math means the memcpy() will write outside the bounds. Cast "msg" to a u8 pointer to fix this. Fixes: 02c19d84c7c5 ("firmware: arm_ffa: Add support for FFA_MSG_SEND2") Signed-off-by: Dan Carpenter --- drivers/firmware/arm_ffa/driver.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/firmware/arm_ffa/driver.c b/drivers/firmware/arm_ffa/driver.c index 9f89ee0aaa6b..363e86936461 100644 --- a/drivers/firmware/arm_ffa/driver.c +++ b/drivers/firmware/arm_ffa/driver.c @@ -363,7 +363,7 @@ static int ffa_msg_send2(u16 src_id, u16 dst_id, void *buf, size_t sz) msg->offset = sizeof(*msg); msg->send_recv_id = src_dst_ids; msg->size = sz; - memcpy(msg + msg->offset, buf, sz); + memcpy((u8 *)msg + msg->offset, buf, sz); /* flags = 0, sender VMID = 0 works for both physical/virtual NS */ invoke_ffa_fn((ffa_value_t){