summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorTakumi Hara <takumihara1226@gmail.com>2026-03-19 22:22:32 +0900
committerAnup Patel <anup@brainfault.org>2026-05-11 19:42:38 +0530
commit9595829a336793744f56b978b2651350d0a1723b (patch)
tree1bdcf69b69f986b985e3d5342e9f216498fcb354
parentd9637d00bf47a3cc17306fc62e71652c8a83c289 (diff)
downloadopensbi-9595829a336793744f56b978b2651350d0a1723b.tar.gz
opensbi-9595829a336793744f56b978b2651350d0a1723b.zip
lib: sbi_domain: reject overflowing address range in check_addr_range()
sbi_domain_check_addr_range() computes `max = addr + size` without checking for integer overflow. When a caller passes a size large enough to wrap around (e.g. addr=0x80000000, size=0xFFFFFFFF80000000), max becomes less than addr, causing the while(addr < max) validation loop to be skipped entirely. The function then returns true without performing any permission checks. This allows an S-mode caller to bypass domain memory protection and access M-mode memory through SBI extensions that use address range validation (e.g. DBCN console write/read). Add an overflow check after computing max: if size is non-zero and max wrapped to a value <= addr, reject the request. Signed-off-by: Takumi Hara <takumihara1226@gmail.com> Reviewed-by: Rahul Pathak <rahul@summations.net> Link: https://lore.kernel.org/r/20260319132232.51572-1-takumihara1226@gmail.com Signed-off-by: Anup Patel <anup@brainfault.org>
-rw-r--r--lib/sbi/sbi_domain.c3
1 files changed, 3 insertions, 0 deletions
diff --git a/lib/sbi/sbi_domain.c b/lib/sbi/sbi_domain.c
index 7030848d..3df521fd 100644
--- a/lib/sbi/sbi_domain.c
+++ b/lib/sbi/sbi_domain.c
@@ -505,6 +505,9 @@ bool sbi_domain_check_addr_range(const struct sbi_domain *dom,
if (!dom)
return false;
+ if (size && max <= addr)
+ return false;
+
while (addr < max) {
reg = find_region(dom, addr);
if (!reg)