From 83129bcd8e75f1ffbfc9a3bae3d60749b1d22fe3 Mon Sep 17 00:00:00 2001
From: Karl Meakin <karl.meakin@arm.com>
Date: Mon, 22 Jan 2024 17:03:02 +0000
Subject: [PATCH] fix(el3-spmc): fix dangling pointer in FFA_CONSOLE_LOG

Fixes a dangling pointer bug in `spmc_ffa_console_log`.
`chars` was assigned to an array which went out of scope at the end of
the `if`/`else` block.

The solution is to `memcmpy` from the temporary array into `chars`,
which is now an array.

Signed-off-by: Karl Meakin <karl.meakin@arm.com>
Change-Id: I67d19ea25d09b72f38fcc67dab4acf449aa8f1b1
---
 services/std_svc/spm/el3_spmc/spmc_main.c | 39 +++++++++++------------
 1 file changed, 18 insertions(+), 21 deletions(-)

diff --git a/services/std_svc/spm/el3_spmc/spmc_main.c b/services/std_svc/spm/el3_spmc/spmc_main.c
index 247e2c817..c6ec30c3d 100644
--- a/services/std_svc/spm/el3_spmc/spmc_main.c
+++ b/services/std_svc/spm/el3_spmc/spmc_main.c
@@ -1489,7 +1489,8 @@ static uint64_t spmc_ffa_console_log(uint32_t smc_fid,
 				     void *handle,
 				     uint64_t flags)
 {
-	char *chars;
+	/* Maximum number of characters is 48: 6 registers of 8 bytes each. */
+	char chars[48] = {0};
 	size_t chars_max;
 	size_t chars_count = x1;
 
@@ -1500,27 +1501,23 @@ static uint64_t spmc_ffa_console_log(uint32_t smc_fid,
 
 	assert(smc_fid == FFA_CONSOLE_LOG_SMC32 || smc_fid == FFA_CONSOLE_LOG_SMC64);
 	if (smc_fid == FFA_CONSOLE_LOG_SMC32) {
-		uint32_t registers[] = {
-			(uint32_t)x2,
-			(uint32_t)x3,
-			(uint32_t)x4,
-			(uint32_t)SMC_GET_GP(handle, CTX_GPREG_X5),
-			(uint32_t)SMC_GET_GP(handle, CTX_GPREG_X6),
-			(uint32_t)SMC_GET_GP(handle, CTX_GPREG_X7),
-		};
-		chars_max = ARRAY_SIZE(registers) * sizeof(uint32_t);
-		chars = (char *)registers;
+		uint32_t *registers = (uint32_t *)chars;
+		registers[0] = (uint32_t)x2;
+		registers[1] = (uint32_t)x3;
+		registers[2] = (uint32_t)x4;
+		registers[3] = (uint32_t)SMC_GET_GP(handle, CTX_GPREG_X5);
+		registers[4] = (uint32_t)SMC_GET_GP(handle, CTX_GPREG_X6);
+		registers[5] = (uint32_t)SMC_GET_GP(handle, CTX_GPREG_X7);
+		chars_max = 6 * sizeof(uint32_t);
 	} else {
-		uint64_t registers[] = {
-			x2,
-			x3,
-			x4,
-			SMC_GET_GP(handle, CTX_GPREG_X5),
-			SMC_GET_GP(handle, CTX_GPREG_X6),
-			SMC_GET_GP(handle, CTX_GPREG_X7),
-		};
-		chars_max = ARRAY_SIZE(registers) * sizeof(uint64_t);
-		chars = (char *)registers;
+		uint64_t *registers = (uint64_t *)chars;
+		registers[0] = x2;
+		registers[1] = x3;
+		registers[2] = x4;
+		registers[3] = SMC_GET_GP(handle, CTX_GPREG_X5);
+		registers[4] = SMC_GET_GP(handle, CTX_GPREG_X6);
+		registers[5] = SMC_GET_GP(handle, CTX_GPREG_X7);
+		chars_max = 6 * sizeof(uint64_t);
 	}
 
 	if ((chars_count == 0) || (chars_count > chars_max)) {