On Mon, Nov 24, 2025 at 03:00:00PM +0000, Sebastian Ene wrote:
On Mon, Nov 24, 2025 at 03:50:45PM +0100, Greg KH wrote:
On Mon, Nov 24, 2025 at 09:11:34AM -0500, Sasha Levin wrote:
From: Sebastian Ene sebastianene@google.com
[ Upstream commit 103e17aac09cdd358133f9e00998b75d6c1f1518 ]
Verify the offset to prevent OOB access in the hypervisor FF-A buffer in case an untrusted large enough value [U32_MAX - sizeof(struct ffa_composite_mem_region) + 1, U32_MAX] is set from the host kernel.
Signed-off-by: Sebastian Ene sebastianene@google.com Acked-by: Will Deacon will@kernel.org Link: https://patch.msgid.link/20251017075710.2605118-1-sebastianene@google.com Signed-off-by: Marc Zyngier maz@kernel.org Signed-off-by: Sasha Levin sashal@kernel.org
arch/arm64/kvm/hyp/nvhe/ffa.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-)
diff --git a/arch/arm64/kvm/hyp/nvhe/ffa.c b/arch/arm64/kvm/hyp/nvhe/ffa.c index 8d21ab904f1a9..eacf4ba1d88e9 100644 --- a/arch/arm64/kvm/hyp/nvhe/ffa.c +++ b/arch/arm64/kvm/hyp/nvhe/ffa.c @@ -425,7 +425,7 @@ static void __do_ffa_mem_xfer(const u64 func_id, DECLARE_REG(u32, npages_mbz, ctxt, 4); struct ffa_composite_mem_region *reg; struct ffa_mem_region *buf;
- u32 offset, nr_ranges;
- u32 offset, nr_ranges, checked_offset; int ret = 0;
if (addr_mbz || npages_mbz || fraglen > len || @@ -460,7 +460,12 @@ static void __do_ffa_mem_xfer(const u64 func_id, goto out_unlock; }
- if (fraglen < offset + sizeof(struct ffa_composite_mem_region)) {
- if (check_add_overflow(offset, sizeof(struct ffa_composite_mem_region), &checked_offset)) {
ret = FFA_RET_INVALID_PARAMETERS;goto out_unlock;- }
hello Greg,
I was told that a "straight" backport like this was not correct, so we need a "better" one :(
Sebastian, can you provide the correct backport for 6.6.y please?
I think Sasha's patch is doing the right thing. Sasha thanks for posting it so fast.
Then why is the backport that is in the android 6.6.y kernel branches different from this one? Which one is "correct"?
thanks,
greg k-h