[PATCH] lib: sbi_domain: reject overflowing address range in check_addr_range()
Takumi Hara
takumihara1226 at gmail.com
Thu Mar 19 06:22:32 PDT 2026
sbi_domain_check_addr_range() computes `max = addr + size` without
checking for integer overflow. When a caller passes a size large enough
to wrap around (e.g. addr=0x80000000, size=0xFFFFFFFF80000000), max
becomes less than addr, causing the while(addr < max) validation loop
to be skipped entirely. The function then returns true without
performing any permission checks.
This allows an S-mode caller to bypass domain memory protection and
access M-mode memory through SBI extensions that use address range
validation (e.g. DBCN console write/read).
Add an overflow check after computing max: if size is non-zero and
max wrapped to a value <= addr, reject the request.
Signed-off-by: Takumi Hara <takumihara1226 at gmail.com>
---
lib/sbi/sbi_domain.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/lib/sbi/sbi_domain.c b/lib/sbi/sbi_domain.c
index 7030848..3df521f 100644
--- a/lib/sbi/sbi_domain.c
+++ b/lib/sbi/sbi_domain.c
@@ -505,6 +505,9 @@ bool sbi_domain_check_addr_range(const struct sbi_domain *dom,
if (!dom)
return false;
+ if (size && max <= addr)
+ return false;
+
while (addr < max) {
reg = find_region(dom, addr);
if (!reg)
--
2.52.0
More information about the opensbi
mailing list