diff options
| author | Dan Carpenter <dan.carpenter@linaro.org> | 2024-04-24 14:40:43 +0300 |
|---|---|---|
| committer | Sudeep Holla <sudeep.holla@arm.com> | 2024-04-24 16:19:45 +0300 |
| commit | ddfade88f49d49b04930ae006ab0974eb547529c (patch) | |
| tree | 1ae5cfb2ec17930cb19e6cd4891d0d57cad09b00 /drivers/firmware | |
| parent | 02c19d84c7c5026624d181b8e4cdc8488134d013 (diff) | |
| download | linux-ddfade88f49d49b04930ae006ab0974eb547529c.tar.xz | |
firmware: arm_ffa: Fix memory corruption in ffa_msg_send2()
The "msg" pointer is a struct and msg->offset is the sizeof(*msg). The
pointer here math means the memcpy() will write outside the bounds.
Cast "msg" to a u8 pointer to fix this.
Fixes: 02c19d84c7c5 ("firmware: arm_ffa: Add support for FFA_MSG_SEND2")
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Link: https://lore.kernel.org/r/cd5fb6b5-81fa-4a6d-b2b8-284ca704bbff@moroto.mountain
Signed-off-by: Sudeep Holla <sudeep.holla@arm.com>
Diffstat (limited to 'drivers/firmware')
| -rw-r--r-- | drivers/firmware/arm_ffa/driver.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/drivers/firmware/arm_ffa/driver.c b/drivers/firmware/arm_ffa/driver.c index 26968edac5b2..b29496cac2af 100644 --- a/drivers/firmware/arm_ffa/driver.c +++ b/drivers/firmware/arm_ffa/driver.c @@ -363,7 +363,7 @@ static int ffa_msg_send2(u16 src_id, u16 dst_id, void *buf, size_t sz) msg->offset = sizeof(*msg); msg->send_recv_id = src_dst_ids; msg->size = sz; - memcpy(msg + msg->offset, buf, sz); + memcpy((u8 *)msg + msg->offset, buf, sz); /* flags = 0, sender VMID = 0 works for both physical/virtual NS */ invoke_ffa_fn((ffa_value_t){ |