fix(el3-spmc): fix coverity scan warnings

Validate emad descriptor integrity before accessing. Check for NULL pointer access. Signed-off-by: Shruti Gupta <shruti.gupta@arm.com> Change-Id: Id4ff3e5d88be95ca8d067378e344947880ec984b
2025-04-30 15:49:34 +00:00 · 2022-08-25 14:22:53 +01:00 · 2022-08-25 14:22:53 +01:00 · 1543d17b98
commit 1543d17b98
parent def7590b3e
3 changed files with 36 additions and 9 deletions
--- a/bl32/tsp/ffa_helpers.c
+++ b/bl32/tsp/ffa_helpers.c
@ -149,13 +149,15 @@ bool memory_retrieve(struct mailbox *mb,
 {
 	smc_args_t ret;
 	uint32_t descriptor_size;
-	struct ffa_mtd *memory_region = (struct ffa_mtd *)mb->tx_buffer;
+	struct ffa_mtd *memory_region;
 	if (retrieved == NULL || mb == NULL) {
 		ERROR("Invalid parameters!\n");
 		return false;
 	}
 	memory_region = (struct ffa_mtd *)mb->tx_buffer;
 	/* Clear TX buffer. */
 	memset(memory_region, 0, PAGE_SIZE);
--- a/bl32/tsp/tsp_ffa_main.c
+++ b/bl32/tsp/tsp_ffa_main.c
@ -216,10 +216,10 @@ static int test_memory_send(ffa_endpoint_id16_t sender, uint64_t handle,
 				(uint64_t)composite->address_range_array[i].address,
 				size, mem_attrs);
-			/* Remove mappings created in this transaction. */
+			/* Remove mappings previously created in this transaction. */
-			for (i--; i >= 0U; i--) {
+			for (i--; i >= 0; i--) {
 				ret = mmap_remove_dynamic_region(
-					(uint64_t)ptr,
+					(uint64_t)composite->address_range_array[i].address,
 					composite->address_range_array[i].page_count * PAGE_SIZE);
 				if (ret != 0) {
@ -227,6 +227,7 @@ static int test_memory_send(ffa_endpoint_id16_t sender, uint64_t handle,
 					panic();
 				}
 			}
 			return FFA_ERROR_NO_MEMORY;
 		}
--- a/services/std_svc/spm/el3_spmc/spmc_shared_mem.c
+++ b/services/std_svc/spm/el3_spmc/spmc_shared_mem.c
@ -274,13 +274,15 @@ spmc_shmem_obj_ffa_constituent_size(struct spmc_shmem_obj *obj,
 * spmc_shmem_obj_validate_id - Validate a partition ID is participating in
 *				a given memory transaction.
 * @sp_id:      Partition ID to validate.
- * @desc:       Descriptor of the memory transaction.
+ * @obj:        The shared memory object containing the descriptor
- *
+ *              of the memory transaction.
 * Return: true if ID is valid, else false.
 */
-bool spmc_shmem_obj_validate_id(const struct ffa_mtd *desc, uint16_t sp_id)
+bool spmc_shmem_obj_validate_id(struct spmc_shmem_obj *obj, uint16_t sp_id)
 {
 	bool found = false;
 	struct ffa_mtd *desc = &obj->desc;
 	size_t desc_size = obj->desc_size;
 	/* Validate the partition is a valid participant. */
 	for (unsigned int i = 0U; i < desc->emad_count; i++) {
@ -290,6 +292,15 @@ bool spmc_shmem_obj_validate_id(const struct ffa_mtd *desc, uint16_t sp_id)
 		emad = spmc_shmem_obj_get_emad(desc, i,
 					       MAKE_FFA_VERSION(1, 1),
 					       &emad_size);
 		/*
 		 * Validate the calculated emad address resides within the
 		 * descriptor.
 		 */
 		if ((emad == NULL) || (uintptr_t) emad >=
 		    (uintptr_t)((uint8_t *) desc + desc_size)) {
 			VERBOSE("Invalid emad.\n");
 			break;
 		}
 		if (sp_id == emad->mapd.endpoint_id) {
 			found = true;
 			break;
@ -477,6 +488,12 @@ spmc_shm_convert_shmem_obj_from_v1_0(struct spmc_shmem_obj *out_obj,
 	/* Copy across the emad structs. */
 	for (unsigned int i = 0U; i < out->emad_count; i++) {
 		/* Bound check for emad array. */
 		if (((uint8_t *)emad_array_in + sizeof(struct ffa_emad_v1_0)) >
 		    ((uint8_t *) mtd_orig + orig->desc_size)) {
 			VERBOSE("%s: Invalid mtd structure.\n", __func__);
 			return false;
 		}
 		memcpy(&emad_array_out[i], &emad_array_in[i],
 		       sizeof(struct ffa_emad_v1_0));
 	}
@ -544,6 +561,7 @@ spmc_shm_convert_mtd_to_v1_0(struct spmc_shmem_obj *out_obj,
 	size_t mrd_out_offset;
 	size_t emad_out_array_size;
 	size_t mrd_size = 0;
 	size_t orig_desc_size = orig->desc_size;
 	/* Populate the v1.0 descriptor format from the v1.1 struct. */
 	out->sender_id = mtd_orig->sender_id;
@ -561,6 +579,12 @@ spmc_shm_convert_mtd_to_v1_0(struct spmc_shmem_obj *out_obj,
 	/* Copy across the emad structs. */
 	emad_in = emad_array_in;
 	for (unsigned int i = 0U; i < out->emad_count; i++) {
 		/* Bound check for emad array. */
 		if (((uint8_t *)emad_in + sizeof(struct ffa_emad_v1_0)) >
 				((uint8_t *) mtd_orig + orig_desc_size)) {
 			VERBOSE("%s: Invalid mtd structure.\n", __func__);
 			return false;
 		}
 		memcpy(&emad_array_out[i], emad_in,
 		       sizeof(struct ffa_emad_v1_0));
@ -1444,7 +1468,7 @@ spmc_ffa_mem_retrieve_req(uint32_t smc_fid,
 	}
 	/* Validate the caller is a valid participant. */
-	if (!spmc_shmem_obj_validate_id(&obj->desc, sp_ctx->sp_id)) {
+	if (!spmc_shmem_obj_validate_id(obj, sp_ctx->sp_id)) {
 		WARN("%s: Invalid endpoint ID (0x%x).\n",
 			__func__, sp_ctx->sp_id);
 		ret = FFA_ERROR_INVALID_PARAMETER;
@ -1763,7 +1787,7 @@ int spmc_ffa_mem_relinquish(uint32_t smc_fid,
 	}
 	/* Validate the caller is a valid participant. */
-	if (!spmc_shmem_obj_validate_id(&obj->desc, sp_ctx->sp_id)) {
+	if (!spmc_shmem_obj_validate_id(obj, sp_ctx->sp_id)) {
 		WARN("%s: Invalid endpoint ID (0x%x).\n",
 			__func__, req->endpoint_array[0]);
 		ret = FFA_ERROR_INVALID_PARAMETER;