Application-supplied buffer addresses not checked for validity

Code must check for valid buffer address to avoid potential corruption Signed-off-by: Tammy Leino <[email protected]>
OpenAMP · Oct 4, 2022 · a30441c · a30441c
1 parent afed3bd
commit a30441c
Showing 1 changed file with 15 additions and 1 deletion.
diff --git a/lib/rpmsg/rpmsg_virtio.c b/lib/rpmsg/rpmsg_virtio.c
@@ -288,9 +288,14 @@ static int _rpmsg_virtio_get_buffer_size(struct rpmsg_virtio_device *rvdev)
 
 static void rpmsg_virtio_hold_rx_buffer(struct rpmsg_device *rdev, void *rxbuf)
 {
+	struct rpmsg_virtio_device *rvdev;
 	struct rpmsg_hdr *rp_hdr;
 
-	(void)rdev;
+	rvdev = metal_container_of(rdev, struct rpmsg_virtio_device, rdev);
+
+	if (!metal_io_is_block_valid(rvdev->rvq->shm_io, sizeof(struct rpmsg_hdr),
+				     rxbuf, 0))
+		return;
 
 	rp_hdr = RPMSG_LOCATE_HDR(rxbuf);
 
@@ -307,6 +312,11 @@ static void rpmsg_virtio_release_rx_buffer(struct rpmsg_device *rdev,
 	uint32_t len;
 
 	rvdev = metal_container_of(rdev, struct rpmsg_virtio_device, rdev);
+
+	if (!metal_io_is_block_valid(rvdev->rvq->shm_io, sizeof(struct rpmsg_hdr),
+				     rxbuf, 0))
+		return;
+
 	rp_hdr = RPMSG_LOCATE_HDR(rxbuf);
 	/* The reserved field contains buffer index */
 	idx = (uint16_t)(rp_hdr->reserved & ~RPMSG_BUF_HELD);
@@ -377,6 +387,10 @@ static int rpmsg_virtio_send_offchannel_nocopy(struct rpmsg_device *rdev,
 	/* Get the associated remote device for channel. */
 	rvdev = metal_container_of(rdev, struct rpmsg_virtio_device, rdev);
 
+	if (!metal_io_is_block_valid(rvdev->rvq->shm_io, sizeof(struct rpmsg_hdr),
+				     data, len))
+		return RPMSG_ERR_PARAM;
+
 	hdr = RPMSG_LOCATE_HDR(data);
 	/* The reserved field contains buffer index */
 	idx = hdr->reserved;