diff options
| author | Takumi Hara <takumihara1226@gmail.com> | 2026-03-19 22:22:32 +0900 |
|---|---|---|
| committer | Anup Patel <anup@brainfault.org> | 2026-05-11 19:42:38 +0530 |
| commit | 9595829a336793744f56b978b2651350d0a1723b (patch) | |
| tree | 1bdcf69b69f986b985e3d5342e9f216498fcb354 /lib | |
| parent | d9637d00bf47a3cc17306fc62e71652c8a83c289 (diff) | |
| download | opensbi-9595829a336793744f56b978b2651350d0a1723b.tar.gz opensbi-9595829a336793744f56b978b2651350d0a1723b.zip | |
lib: sbi_domain: reject overflowing address range in check_addr_range()
sbi_domain_check_addr_range() computes `max = addr + size` without
checking for integer overflow. When a caller passes a size large enough
to wrap around (e.g. addr=0x80000000, size=0xFFFFFFFF80000000), max
becomes less than addr, causing the while(addr < max) validation loop
to be skipped entirely. The function then returns true without
performing any permission checks.
This allows an S-mode caller to bypass domain memory protection and
access M-mode memory through SBI extensions that use address range
validation (e.g. DBCN console write/read).
Add an overflow check after computing max: if size is non-zero and
max wrapped to a value <= addr, reject the request.
Signed-off-by: Takumi Hara <takumihara1226@gmail.com>
Reviewed-by: Rahul Pathak <rahul@summations.net>
Link: https://lore.kernel.org/r/20260319132232.51572-1-takumihara1226@gmail.com
Signed-off-by: Anup Patel <anup@brainfault.org>
Diffstat (limited to 'lib')
| -rw-r--r-- | lib/sbi/sbi_domain.c | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/lib/sbi/sbi_domain.c b/lib/sbi/sbi_domain.c index 7030848d..3df521fd 100644 --- a/lib/sbi/sbi_domain.c +++ b/lib/sbi/sbi_domain.c @@ -505,6 +505,9 @@ bool sbi_domain_check_addr_range(const struct sbi_domain *dom, if (!dom) return false; + if (size && max <= addr) + return false; + while (addr < max) { reg = find_region(dom, addr); if (!reg) |
