fix(el3-spmc): fix incomplete reclaim validation Ensure that the full memory transaction descriptor has been transmitted before a request to reclaim the memory transaction is permitted. This prevents any potential accesses to the incomplete descriptor. Reported by Matt Oh, Google Android Red Team. Reported-by: mattoh@google.com Signed-off-by: Marc Bonnici <marc.bonnici@arm.com> Change-Id: I33e993c6b754632051e899ab20edd19b18b6cf65

commit: 82e28f1c8096b5ed68fff34bca11da1d40134278 [log] [tgz]
author: Marc Bonnici <marc.bonnici@arm.com> Tue Oct 18 13:39:48 2022 +0100
committer: Joanna Farley <joanna.farley@arm.com> Mon Nov 07 14:39:20 2022 +0100
tree: 6cfc5ccebb6706271a44a6571205e679fec18ae8
parent: 8ef793cd4ce59223a833716df615dcd0aa670ed5 [diff] [blame]
diff --git a/services/std_svc/spm/el3_spmc/spmc_shared_mem.c b/services/std_svc/spm/el3_spmc/spmc_shared_mem.c
index 1da2efc..f7911b9 100644
--- a/services/std_svc/spm/el3_spmc/spmc_shared_mem.c
+++ b/services/std_svc/spm/el3_spmc/spmc_shared_mem.c

@@ -1828,6 +1828,13 @@
 		goto err_unlock;
 	}
 
+	if (obj->desc_filled != obj->desc_size) {
+		WARN("%s: incomplete object desc filled %zu < size %zu\n",
+		     __func__, obj->desc_filled, obj->desc_size);
+		ret = FFA_ERROR_INVALID_PARAMETER;
+		goto err_unlock;
+	}
+
 	/* Allow for platform specific operations to be performed. */
 	ret = plat_spmc_shmem_reclaim(&obj->desc);
 	if (ret != 0) {
commit	82e28f1c8096b5ed68fff34bca11da1d40134278	[log] [tgz]
author	Marc Bonnici <marc.bonnici@arm.com>	Tue Oct 18 13:39:48 2022 +0100
committer	Joanna Farley <joanna.farley@arm.com>	Mon Nov 07 14:39:20 2022 +0100
tree	6cfc5ccebb6706271a44a6571205e679fec18ae8
parent	8ef793cd4ce59223a833716df615dcd0aa670ed5 [diff] [blame]