[PATCH] lib: sbi_domain: reject overflowing address range in check_addr_range()
Rahul Pathak
rahul at summations.net
Tue Mar 24 20:25:58 PDT 2026
On Thu, Mar 19, 2026 at 6:52 PM Takumi Hara <takumihara1226 at gmail.com> wrote:
>
> sbi_domain_check_addr_range() computes `max = addr + size` without
> checking for integer overflow. When a caller passes a size large enough
> to wrap around (e.g. addr=0x80000000, size=0xFFFFFFFF80000000), max
> becomes less than addr, causing the while(addr < max) validation loop
> to be skipped entirely. The function then returns true without
> performing any permission checks.
>
> This allows an S-mode caller to bypass domain memory protection and
> access M-mode memory through SBI extensions that use address range
> validation (e.g. DBCN console write/read).
>
> Add an overflow check after computing max: if size is non-zero and
> max wrapped to a value <= addr, reject the request.
>
> Signed-off-by: Takumi Hara <takumihara1226 at gmail.com>
> ---
> lib/sbi/sbi_domain.c | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/lib/sbi/sbi_domain.c b/lib/sbi/sbi_domain.c
> index 7030848..3df521f 100644
> --- a/lib/sbi/sbi_domain.c
> +++ b/lib/sbi/sbi_domain.c
> @@ -505,6 +505,9 @@ bool sbi_domain_check_addr_range(const struct sbi_domain *dom,
> if (!dom)
> return false;
>
> + if (size && max <= addr)
> + return false;
> +
> while (addr < max) {
> reg = find_region(dom, addr);
> if (!reg)
What about the condition when passed size is 0 and max == addr.
More information about the opensbi
mailing list