On Mon, Nov 24, 2025 at 03:50:45PM +0100, Greg KH wrote:
On Mon, Nov 24, 2025 at 09:11:34AM -0500, Sasha Levin wrote:
From: Sebastian Ene sebastianene@google.com
[ Upstream commit 103e17aac09cdd358133f9e00998b75d6c1f1518 ]
Verify the offset to prevent OOB access in the hypervisor FF-A buffer in case an untrusted large enough value [U32_MAX - sizeof(struct ffa_composite_mem_region) + 1, U32_MAX] is set from the host kernel.
Signed-off-by: Sebastian Ene sebastianene@google.com Acked-by: Will Deacon will@kernel.org Link: https://patch.msgid.link/20251017075710.2605118-1-sebastianene@google.com Signed-off-by: Marc Zyngier maz@kernel.org Signed-off-by: Sasha Levin sashal@kernel.org
arch/arm64/kvm/hyp/nvhe/ffa.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-)
diff --git a/arch/arm64/kvm/hyp/nvhe/ffa.c b/arch/arm64/kvm/hyp/nvhe/ffa.c index 8d21ab904f1a9..eacf4ba1d88e9 100644 --- a/arch/arm64/kvm/hyp/nvhe/ffa.c +++ b/arch/arm64/kvm/hyp/nvhe/ffa.c @@ -425,7 +425,7 @@ static void __do_ffa_mem_xfer(const u64 func_id, DECLARE_REG(u32, npages_mbz, ctxt, 4); struct ffa_composite_mem_region *reg; struct ffa_mem_region *buf;
- u32 offset, nr_ranges;
- u32 offset, nr_ranges, checked_offset; int ret = 0;
if (addr_mbz || npages_mbz || fraglen > len || @@ -460,7 +460,12 @@ static void __do_ffa_mem_xfer(const u64 func_id, goto out_unlock; }
- if (fraglen < offset + sizeof(struct ffa_composite_mem_region)) {
- if (check_add_overflow(offset, sizeof(struct ffa_composite_mem_region), &checked_offset)) {
ret = FFA_RET_INVALID_PARAMETERS;goto out_unlock;- }
hello Greg,
I was told that a "straight" backport like this was not correct, so we need a "better" one :(
Sebastian, can you provide the correct backport for 6.6.y please?
I think Sasha's patch is doing the right thing. Sasha thanks for posting it so fast.
I looked up the other faild patches on stable and the reason why the patch doesn't apply is because we don't have the FF-A proxy inthe following versions: - 5.4, 5.10, 5.15, 6.1
thanks,
greg k-h
thanks, Sebastian