Merge changes from topic "jc/bug_fix_el3_spmc" into integration

* changes: fix(el3-spmc): avoid NULL deref in FFA_MEM_RETRIEVE_REQ path fix(el3-spmc): prevent integer overflow in memory overlap validation
2026-05-01 08:56:39 +00:00 · 2026-05-01 08:56:39 +00:00 · 293d8f887b
commit 293d8f887b
parent 5ec084bb62 850eba90fc
1 changed files with 37 additions and 5 deletions
--- a/services/std_svc/spm/el3_spmc/spmc_shared_mem.c
+++ b/services/std_svc/spm/el3_spmc/spmc_shared_mem.c
@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2022-2023, ARM Limited and Contributors. All rights reserved.
+ * Copyright (c) 2022-2026, ARM Limited and Contributors. All rights reserved.
 *
 * SPDX-License-Identifier: BSD-3-Clause
 */
@ -328,17 +328,43 @@ overlapping_memory_regions(struct ffa_comp_mrd *region1,
 	for (size_t i = 0; i < region1->address_range_count; i++) {

 		region1_start = region1->address_range_array[i].address;
+
+		/*
+		 * Ensure page_count * PAGE_SIZE_4KB is computed without
+		 * overflowing before deriving the region end address.
+		 */
+		if (region1->address_range_array[i].page_count >
+		    (UINT64_MAX / PAGE_SIZE_4KB)) {
+			return true;
+		}
+
 		region1_size =
-			region1->address_range_array[i].page_count *
+			(uint64_t)region1->address_range_array[i].page_count *
 			PAGE_SIZE_4KB;
+
+		if (check_u64_overflow(region1_start, region1_size)) {
+			return true;
+		}
+
 		region1_end = region1_start + region1_size;

 		for (size_t j = 0; j < region2->address_range_count; j++) {

 			region2_start = region2->address_range_array[j].address;
+
+			if (region2->address_range_array[j].page_count >
+			    (UINT64_MAX / PAGE_SIZE_4KB)) {
+				return true;
+			}
+
 			region2_size =
-				region2->address_range_array[j].page_count *
+				(uint64_t)region2->address_range_array[j].page_count *
 				PAGE_SIZE_4KB;
+
+			if (check_u64_overflow(region2_start, region2_size)) {
+				return true;
+			}
+
 			region2_end = region2_start + region2_size;

 			/* Check if regions are not overlapping. */
@ -1562,11 +1588,17 @@ spmc_ffa_mem_retrieve_req(uint32_t smc_fid,
 		goto err_unlock_mailbox;
 	}

-	/* req->emad_count is not set for retrieve by hypervisor */
+	/*
+	 * Validate emad_count based on caller origin:
+	 *
+	 * - Hypervisor retrieve requests do not include endpoint memory
+	 *   access descriptors.
+	 * - Secure partition retrieve requests must include them.
+	 */
 	if ((secure_origin && req->emad_count == 0U) ||
 	    (!secure_origin && req->emad_count != 0U)) {
 		WARN("%s: unsupported attribute desc count %u.\n",
-		     __func__, obj->desc.emad_count);
+		     __func__, req->emad_count);
 		ret = FFA_ERROR_INVALID_PARAMETER;
 		goto err_unlock_mailbox;
 	}