[PATCH v4 2/5] firmware: arm_ffa: Fix out-of-bound writes in ffa_setup_and_transmit()
Sudeep Holla
sudeep.holla at kernel.org
Thu May 21 05:51:12 PDT 2026
On Wed, May 20, 2026 at 08:49:45PM +0000, Mostafa Saleh wrote:
> Sashiko (locally) reports multiple out-of-bound issues in
> ffa_setup_and_transmit:
> 1) Writing ep_mem_access->reserved can write out of bounds for FFA
> versions < 1.2 as ffa_emad_size_get() returns 16 bytes in that case
> while reserved has an offset of 24.
> Instead of zeroing fields, memset the struct to zero first based on
> the FFA version.
>
Neat, I clearly missed taking this approach when I added zero-ing of
member initially.
> 2) Make sure there is enough size to write constituents.
>
> While at it, convert the only sizeof() in the driver that uses a
> type instead of variable.
>
Reviewed-by: Sudeep Holla <sudeep.holla at kernel.org>
--
Regards,
Sudeep
More information about the linux-arm-kernel
mailing list