refactor(el3-spmc): crash instead of reading OOB
If it is called on an invalid mtd, out-of-bounds memory reads are
likely. Checks elsewhere in the code ensure that the mtd has been
validated before calling this function.
Change-Id: If598680a5b79e1786a6e0a213779ec80cbf37494
Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com>
diff --git a/services/std_svc/spm/el3_spmc/spmc_shared_mem.c b/services/std_svc/spm/el3_spmc/spmc_shared_mem.c
index 9f61907..5dc60f6 100644
--- a/services/std_svc/spm/el3_spmc/spmc_shared_mem.c
+++ b/services/std_svc/spm/el3_spmc/spmc_shared_mem.c
@@ -788,11 +788,17 @@
uint32_t ffa_version)
{
uint32_t comp_mrd_offset = 0;
+ if (obj->desc_filled != obj->desc_size) {
+ ERROR("BUG: %s called on incomplete object (%zu != %zu)\n",
+ __func__, obj->desc_filled, obj->desc_size);
+ panic();
+ }
- if (obj->desc.emad_count == 0U) {
- WARN("%s: unsupported attribute desc count %u.\n",
- __func__, obj->desc.emad_count);
- return -EINVAL;
+ if (spmc_validate_mtd_start(&obj->desc, ffa_version,
+ obj->desc_filled, obj->desc_size)) {
+ ERROR("BUG: %s called on object with corrupt memory region descriptor\n",
+ __func__);
+ panic();
}
for (size_t emad_num = 0; emad_num < obj->desc.emad_count; emad_num++) {