lib: sbi_domain: reject overflowing address range in check_addr_range()

mirror of https://github.com/riscv-software-src/opensbi.git synced 2026-05-23 14:21:32 +01:00

sbi_domain_check_addr_range() computes `max = addr + size` without
checking for integer overflow. When a caller passes a size large enough
to wrap around (e.g. addr=0x80000000, size=0xFFFFFFFF80000000), max
becomes less than addr, causing the while(addr < max) validation loop
to be skipped entirely. The function then returns true without
performing any permission checks.

This allows an S-mode caller to bypass domain memory protection and
access M-mode memory through SBI extensions that use address range
validation (e.g. DBCN console write/read).

Add an overflow check after computing max: if size is non-zero and
max wrapped to a value <= addr, reject the request.

Signed-off-by: Takumi Hara <takumihara1226@gmail.com>
Reviewed-by: Rahul Pathak <rahul@summations.net>
Link: https://lore.kernel.org/r/20260319132232.51572-1-takumihara1226@gmail.com
Signed-off-by: Anup Patel <anup@brainfault.org>

This commit is contained in:

Takumi Hara

2026-03-19 22:22:32 +09:00

committed by

Anup Patel

parent d9637d00bf

commit 9595829a33

1 changed files with 3 additions and 0 deletions

									
										lib/sbi/sbi_domain.c
									
		+3
		
												View File
												
				@@ -505,6 +505,9 @@ bool sbi_domain_check_addr_range(const struct sbi_domain *dom,

					if (!dom)

						return false;

					if (size && max <= addr)

						return false;

					while (addr < max) {

						reg = find_region(dom, addr);

						if (!reg)