intel: Include address range check for SiP Mailbox
This patch modify current address range checker in SiP driver to also
accept input size.
Also, include said checker for SiP mailbox send command to ensure
referenced argument is within expected address.
Signed-off-by: Abdul Halim, Muhammad Hadi Asyrafi <muhammad.hadi.asyrafi.abdul.halim@intel.com>
Change-Id: Ie0c3cac4c3d1a6ea0194602d9aa3541f5d9a3367
diff --git a/plat/intel/soc/common/socfpga_sip_svc.c b/plat/intel/soc/common/socfpga_sip_svc.c
index b4fe6d6..5b600e5 100644
--- a/plat/intel/soc/common/socfpga_sip_svc.c
+++ b/plat/intel/soc/common/socfpga_sip_svc.c
@@ -252,12 +252,16 @@
return true;
}
-static bool is_address_in_ddr_range(uint64_t addr)
+static bool is_address_in_ddr_range(uint64_t addr, uint64_t size)
{
- if (addr >= DRAM_BASE && addr <= DRAM_BASE + DRAM_SIZE)
- return true;
+ if (size > (UINT64_MAX - addr))
+ return false;
+ if (addr < DRAM_BASE)
+ return false;
+ if (addr + size > DRAM_BASE + DRAM_SIZE)
+ return false;
- return false;
+ return true;
}
static uint32_t intel_fpga_config_write(uint64_t mem, uint64_t size)
@@ -266,8 +270,7 @@
intel_fpga_sdm_write_all();
- if (!is_address_in_ddr_range(mem) ||
- !is_address_in_ddr_range(mem + size) ||
+ if (!is_address_in_ddr_range(mem, size) ||
is_fpga_config_buffer_full())
return INTEL_SIP_SMC_STATUS_REJECTED;
@@ -406,11 +409,16 @@
int resp_len, int *mbox_status,
int *len_in_resp)
{
+ *len_in_resp = 0;
+ *mbox_status = 0;
+
+ if (!is_address_in_ddr_range((uint64_t)args, sizeof(uint32_t) * len))
+ return INTEL_SIP_SMC_STATUS_REJECTED;
+
int status = mailbox_send_cmd(MBOX_JOB_ID, cmd, args, len, urgent,
response, resp_len);
if (status < 0) {
- *len_in_resp = 0;
*mbox_status = -status;
return INTEL_SIP_SMC_STATUS_ERROR;
}