Merge changes from topic "ffa_el3_spmc_fixes" into integration
* changes:
fix(tsp): use verbose for power logs
fix(el3-spmc): fix coverity scan warnings
fix(el3-spmc): improve bound check for descriptor
diff --git a/bl32/tsp/ffa_helpers.c b/bl32/tsp/ffa_helpers.c
index 3639c22..ad70c2b 100644
--- a/bl32/tsp/ffa_helpers.c
+++ b/bl32/tsp/ffa_helpers.c
@@ -149,13 +149,15 @@
{
smc_args_t ret;
uint32_t descriptor_size;
- struct ffa_mtd *memory_region = (struct ffa_mtd *)mb->tx_buffer;
+ struct ffa_mtd *memory_region;
if (retrieved == NULL || mb == NULL) {
ERROR("Invalid parameters!\n");
return false;
}
+ memory_region = (struct ffa_mtd *)mb->tx_buffer;
+
/* Clear TX buffer. */
memset(memory_region, 0, PAGE_SIZE);
diff --git a/bl32/tsp/tsp_ffa_main.c b/bl32/tsp/tsp_ffa_main.c
index 53dbd03..2c53977 100644
--- a/bl32/tsp/tsp_ffa_main.c
+++ b/bl32/tsp/tsp_ffa_main.c
@@ -216,10 +216,10 @@
(uint64_t)composite->address_range_array[i].address,
size, mem_attrs);
- /* Remove mappings created in this transaction. */
- for (i--; i >= 0U; i--) {
+ /* Remove mappings previously created in this transaction. */
+ for (i--; i >= 0; i--) {
ret = mmap_remove_dynamic_region(
- (uint64_t)ptr,
+ (uint64_t)composite->address_range_array[i].address,
composite->address_range_array[i].page_count * PAGE_SIZE);
if (ret != 0) {
@@ -227,6 +227,7 @@
panic();
}
}
+
return FFA_ERROR_NO_MEMORY;
}
@@ -298,8 +299,8 @@
tsp_stats[linear_id].eret_count++;
tsp_stats[linear_id].cpu_off_count++;
- INFO("TSP: cpu 0x%lx off request\n", read_mpidr());
- INFO("TSP: cpu 0x%lx: %d smcs, %d erets %d cpu off requests\n",
+ VERBOSE("TSP: cpu 0x%lx off request\n", read_mpidr());
+ VERBOSE("TSP: cpu 0x%lx: %d smcs, %d erets %d cpu off requests\n",
read_mpidr(),
tsp_stats[linear_id].smc_count,
tsp_stats[linear_id].eret_count,
@@ -336,7 +337,7 @@
tsp_stats[linear_id].eret_count++;
tsp_stats[linear_id].cpu_suspend_count++;
- INFO("TSP: cpu 0x%lx: %d smcs, %d erets %d cpu suspend requests\n",
+ VERBOSE("TSP: cpu 0x%lx: %d smcs, %d erets %d cpu suspend requests\n",
read_mpidr(),
tsp_stats[linear_id].smc_count,
tsp_stats[linear_id].eret_count,
@@ -369,9 +370,9 @@
tsp_stats[linear_id].eret_count++;
tsp_stats[linear_id].cpu_resume_count++;
- INFO("TSP: cpu 0x%lx resumed. maximum off power level %" PRId64 "\n",
+ VERBOSE("TSP: cpu 0x%lx resumed. maximum off power level %" PRId64 "\n",
read_mpidr(), max_off_pwrlvl);
- INFO("TSP: cpu 0x%lx: %d smcs, %d erets %d cpu resume requests\n",
+ VERBOSE("TSP: cpu 0x%lx: %d smcs, %d erets %d cpu resume requests\n",
read_mpidr(),
tsp_stats[linear_id].smc_count,
tsp_stats[linear_id].eret_count,
@@ -611,7 +612,7 @@
tsp_stats[linear_id].eret_count++;
tsp_stats[linear_id].cpu_on_count++;
- INFO("TSP: cpu 0x%lx: %d smcs, %d erets %d cpu on requests\n",
+ VERBOSE("TSP: cpu 0x%lx: %d smcs, %d erets %d cpu on requests\n",
read_mpidr(),
tsp_stats[linear_id].smc_count,
tsp_stats[linear_id].eret_count,
@@ -640,8 +641,8 @@
tsp_stats[linear_id].smc_count++;
tsp_stats[linear_id].eret_count++;
tsp_stats[linear_id].cpu_on_count++;
- INFO("TSP: cpu 0x%lx turned on\n", read_mpidr());
- INFO("TSP: cpu 0x%lx: %d smcs, %d erets %d cpu on requests\n",
+ VERBOSE("TSP: cpu 0x%lx turned on\n", read_mpidr());
+ VERBOSE("TSP: cpu 0x%lx: %d smcs, %d erets %d cpu on requests\n",
read_mpidr(),
tsp_stats[linear_id].smc_count,
tsp_stats[linear_id].eret_count,
diff --git a/services/std_svc/spm/el3_spmc/spmc_shared_mem.c b/services/std_svc/spm/el3_spmc/spmc_shared_mem.c
index 89d7b31..c039350 100644
--- a/services/std_svc/spm/el3_spmc/spmc_shared_mem.c
+++ b/services/std_svc/spm/el3_spmc/spmc_shared_mem.c
@@ -274,13 +274,15 @@
* spmc_shmem_obj_validate_id - Validate a partition ID is participating in
* a given memory transaction.
* @sp_id: Partition ID to validate.
- * @desc: Descriptor of the memory transaction.
- *
+ * @obj: The shared memory object containing the descriptor
+ * of the memory transaction.
* Return: true if ID is valid, else false.
*/
-bool spmc_shmem_obj_validate_id(const struct ffa_mtd *desc, uint16_t sp_id)
+bool spmc_shmem_obj_validate_id(struct spmc_shmem_obj *obj, uint16_t sp_id)
{
bool found = false;
+ struct ffa_mtd *desc = &obj->desc;
+ size_t desc_size = obj->desc_size;
/* Validate the partition is a valid participant. */
for (unsigned int i = 0U; i < desc->emad_count; i++) {
@@ -290,6 +292,15 @@
emad = spmc_shmem_obj_get_emad(desc, i,
MAKE_FFA_VERSION(1, 1),
&emad_size);
+ /*
+ * Validate the calculated emad address resides within the
+ * descriptor.
+ */
+ if ((emad == NULL) || (uintptr_t) emad >=
+ (uintptr_t)((uint8_t *) desc + desc_size)) {
+ VERBOSE("Invalid emad.\n");
+ break;
+ }
if (sp_id == emad->mapd.endpoint_id) {
found = true;
break;
@@ -385,7 +396,8 @@
emad_array[0].comp_mrd_offset);
/* Check the calculated address is within the memory descriptor. */
- if ((uintptr_t) mrd >= (uintptr_t)((uint8_t *) orig + desc_size)) {
+ if (((uintptr_t) mrd + sizeof(struct ffa_comp_mrd)) >
+ (uintptr_t)((uint8_t *) orig + desc_size)) {
return 0;
}
size += mrd->address_range_count * sizeof(struct ffa_cons_mrd);
@@ -424,7 +436,8 @@
emad_array[0].comp_mrd_offset);
/* Check the calculated address is within the memory descriptor. */
- if ((uintptr_t) mrd >= (uintptr_t)((uint8_t *) orig + desc_size)) {
+ if (((uintptr_t) mrd + sizeof(struct ffa_comp_mrd)) >
+ (uintptr_t)((uint8_t *) orig + desc_size)) {
return 0;
}
size += mrd->address_range_count * sizeof(struct ffa_cons_mrd);
@@ -475,6 +488,12 @@
/* Copy across the emad structs. */
for (unsigned int i = 0U; i < out->emad_count; i++) {
+ /* Bound check for emad array. */
+ if (((uint8_t *)emad_array_in + sizeof(struct ffa_emad_v1_0)) >
+ ((uint8_t *) mtd_orig + orig->desc_size)) {
+ VERBOSE("%s: Invalid mtd structure.\n", __func__);
+ return false;
+ }
memcpy(&emad_array_out[i], &emad_array_in[i],
sizeof(struct ffa_emad_v1_0));
}
@@ -542,6 +561,7 @@
size_t mrd_out_offset;
size_t emad_out_array_size;
size_t mrd_size = 0;
+ size_t orig_desc_size = orig->desc_size;
/* Populate the v1.0 descriptor format from the v1.1 struct. */
out->sender_id = mtd_orig->sender_id;
@@ -559,6 +579,12 @@
/* Copy across the emad structs. */
emad_in = emad_array_in;
for (unsigned int i = 0U; i < out->emad_count; i++) {
+ /* Bound check for emad array. */
+ if (((uint8_t *)emad_in + sizeof(struct ffa_emad_v1_0)) >
+ ((uint8_t *) mtd_orig + orig_desc_size)) {
+ VERBOSE("%s: Invalid mtd structure.\n", __func__);
+ return false;
+ }
memcpy(&emad_array_out[i], emad_in,
sizeof(struct ffa_emad_v1_0));
@@ -1442,7 +1468,7 @@
}
/* Validate the caller is a valid participant. */
- if (!spmc_shmem_obj_validate_id(&obj->desc, sp_ctx->sp_id)) {
+ if (!spmc_shmem_obj_validate_id(obj, sp_ctx->sp_id)) {
WARN("%s: Invalid endpoint ID (0x%x).\n",
__func__, sp_ctx->sp_id);
ret = FFA_ERROR_INVALID_PARAMETER;
@@ -1761,7 +1787,7 @@
}
/* Validate the caller is a valid participant. */
- if (!spmc_shmem_obj_validate_id(&obj->desc, sp_ctx->sp_id)) {
+ if (!spmc_shmem_obj_validate_id(obj, sp_ctx->sp_id)) {
WARN("%s: Invalid endpoint ID (0x%x).\n",
__func__, req->endpoint_array[0]);
ret = FFA_ERROR_INVALID_PARAMETER;