mirror of
https://github.com/riscv-software-src/opensbi.git
synced 2026-05-23 14:21:32 +01:00
Takumi Hara
9595829a33
sbi_domain_check_addr_range() computes `max = addr + size` without checking for integer overflow. When a caller passes a size large enough to wrap around (e.g. addr=0x80000000, size=0xFFFFFFFF80000000), max becomes less than addr, causing the while(addr < max) validation loop to be skipped entirely. The function then returns true without performing any permission checks. This allows an S-mode caller to bypass domain memory protection and access M-mode memory through SBI extensions that use address range validation (e.g. DBCN console write/read). Add an overflow check after computing max: if size is non-zero and max wrapped to a value <= addr, reject the request. Signed-off-by: Takumi Hara <takumihara1226@gmail.com> Reviewed-by: Rahul Pathak <rahul@summations.net> Link: https://lore.kernel.org/r/20260319132232.51572-1-takumihara1226@gmail.com Signed-off-by: Anup Patel <anup@brainfault.org>