[PATCH] lib: sbi_mpxy: fix integer overflow in attribute range endpoint

Rahul Pathak rahul at summations.net
Thu Jul 2 08:12:24 PDT 2026


On Sun, Jun 28, 2026 at 7:57 PM liutong <liutong at iscas.ac.cn> wrote:
>
> sbi_mpxy_read_attrs() and sbi_mpxy_write_attrs() compute the attribute
> range endpoint as:
>
>   u32 end_id = base_attr_id + attr_count - 1;
>
> When base_attr_id is close to UINT32_MAX (e.g. 0xFFFFFFFF with
> attr_count=2) the addition wraps around to a small value. The
> subsequent range check for the message protocol path compares
> end_id > SBI_MPXY_ATTR_MSGPROTO_ATTR_END (0xFFFFFFFF), which is
> always false for a u32 variable and therefore dead code.
>
> The wrapped end_id then passes through to the RPMI mailbox read
> callback, where attr_id2index() computes a large index
> (base_attr_id - 0x80000000), causing an out-of-bounds read from
> M-mode memory into S-mode shared memory.
>
> Fix by widening end_id to u64 before the arithmetic, consistent with
> the approach used in sbi_sse_attr_check(). Apply the same fix to the
> RPMI mailbox callbacks for defense in depth.
>
> Signed-off-by: liutong <liutong at iscas.ac.cn>
> ---

It deserves a Fixes tag.

Reviewed-by: Rahul Pathak <rahul at summations.net>



More information about the opensbi mailing list