From 73e449abf49dcecea7b910fede9396e240d2d3c7 Mon Sep 17 00:00:00 2001 From: Hrishabh Rajput Date: Fri, 4 Oct 2024 19:29:27 +0530 Subject: [PATCH] gunyah: gh_rm_iface: Fix possible gh_vm_table out-of-bounds access gh_vm_table is an array of size GH_VM_MAX. With present index bound checks, it is possible to access the array with index GH_VM_MAX. This will lead to out-of-bounds access since the valid index should range between 0 and GH_VM_MAX-1. Change-Id: I1ce7f1bb06f4528d03413ceb86625a0e3ea1d3f1 Signed-off-by: Hrishabh Rajput --- drivers/virt/gunyah/gh_rm_iface.c | 16 +++++++--------- 1 file changed, 7 insertions(+), 9 deletions(-) diff --git a/drivers/virt/gunyah/gh_rm_iface.c b/drivers/virt/gunyah/gh_rm_iface.c index 958d46301623..ddbafaff36a3 100644 --- a/drivers/virt/gunyah/gh_rm_iface.c +++ b/drivers/virt/gunyah/gh_rm_iface.c @@ -1,7 +1,7 @@ // SPDX-License-Identifier: GPL-2.0-only /* * Copyright (c) 2020-2021, The Linux Foundation. All rights reserved. - * Copyright (c) 2022-2023 Qualcomm Innovation Center, Inc. All rights reserved. + * Copyright (c) 2022-2024 Qualcomm Innovation Center, Inc. All rights reserved. * */ @@ -67,7 +67,7 @@ int gh_update_vm_prop_table(enum gh_vm_names vm_name, if (!vm_prop) return -EINVAL; - if (vm_prop->vmid < 0 || vm_name < GH_SELF_VM || vm_name > GH_VM_MAX) + if (vm_prop->vmid < 0 || vm_name < GH_SELF_VM || vm_name >= GH_VM_MAX) return -EINVAL; spin_lock(&gh_vm_table_lock); @@ -129,10 +129,9 @@ int ghd_rm_get_vmid(enum gh_vm_names vm_name, gh_vmid_t *vmid) gh_vmid_t _vmid; int ret = 0; - if (vm_name < GH_SELF_VM || vm_name > GH_VM_MAX) + if (vm_name < GH_SELF_VM || vm_name >= GH_VM_MAX) return -EINVAL; - spin_lock(&gh_vm_table_lock); _vmid = gh_vm_table[vm_name].vmid; @@ -196,11 +195,10 @@ int gh_rm_get_vminfo(enum gh_vm_names vm_name, struct gh_vminfo *vm) if (!vm) return -EINVAL; - spin_lock(&gh_vm_table_lock); - if (vm_name < GH_SELF_VM || vm_name > GH_VM_MAX) { - spin_unlock(&gh_vm_table_lock); + if (vm_name < GH_SELF_VM || vm_name >= GH_VM_MAX) return -EINVAL; - } + + spin_lock(&gh_vm_table_lock); vm->guid = gh_vm_table[vm_name].guid; vm->uri = gh_vm_table[vm_name].uri; @@ -980,7 +978,7 @@ int gh_rm_vm_alloc_vmid(enum gh_vm_names vm_name, int *vmid) /* Look up for the vm_name<->vmid pair if already present. * If so, return. */ - if (vm_name < GH_SELF_VM || vm_name > GH_VM_MAX) + if (vm_name < GH_SELF_VM || vm_name >= GH_VM_MAX) return -EINVAL; spin_lock(&gh_vm_table_lock);