Xen project Mailing List

Re: [PATCH 03/12] xen/arm: ffa: Harden shm page parsing

To: Bertrand Marquis <Bertrand.Marquis@xxxxxxx>

From: Jens Wiklander <jens.wiklander@xxxxxxxxxx>

Date: Mon, 9 Feb 2026 16:22:48 +0100

Arc-authentication-results: i=1; mx.google.com; arc=none

Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=mfdDFWL+0l2twDO+TgLnRaPXlODpXnZ3nrJFy445z+c=; fh=wB0f5JGUSpWYejuxtnrl8SDqvqyWrEsEaWvC32LbdiU=; b=hVZcFItlIbZneOBgpVSFB+WR2/+bh1opGM05ni7+WKg+esVLE7QgDNssi3214emoi6 et3CcALrVLABJVmqaEKqrpkd/Wgve/HbvYKXb+vTn/Li9EbCP8qyUa62l1+kbQ2UEMpQ BPkOMroQ6ymQSMBMUTvdjE6FV/NwDSNr/+nPCr4GSIcArHMwNASAt6jnxIGonXuWccao SbbF9jSuXd7iQYcCaEF6pnrQN6lWcsgqW76Ter7EuvcDrYTpebvzn70ppU1qhQJtviOS j2iuNHPNvG+hIp1WoR3Ygqvo3ycJQY5B1AQHHDYMhKTnrXCbvdSinETWUX12vmhHzcbc 3jsQ==; darn=lists.xenproject.org

Arc-seal: i=1; a=rsa-sha256; t=1770650581; cv=none; d=google.com; s=arc-20240605; b=UIFU+BB/fLBt6SqBeIDA5BtCfbI0rJ2wBG2k7P2uMldqPVxr+Qn0Tp+vAHsG3rz/iE WL6M+BaHb5LMjsnCOMiFuUx+l/SzRAeHqElhtx292SXFvxT3rJFDRlOUymZ1/Xu1ToLm 8O4X6BfQj2g96UC9lU5LjnhMrnfeEhYzhDDiVObLeTXGIYa9I5LH5VvPnoqsu0k3kt9e 0LNb67ECUQT+eglhNLoCgdRC7H6Csv3gwTVlJHS0v2kizjAkCxGnqoKKc77cT8PtjGNw DBZPqPZcA9KzLIdmAIM8vWh2sZnUGNzv5xqEfDsWDDwWJ/5l0AlGBkHfrgNjY8qXs+g4 QRgg==

Cc: "xen-devel@xxxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxxx>, Volodymyr Babchuk <volodymyr_babchuk@xxxxxxxx>, Stefano Stabellini <sstabellini@xxxxxxxxxx>, Julien Grall <julien@xxxxxxx>, Michal Orzel <michal.orzel@xxxxxxx>

Delivery-date: Mon, 09 Feb 2026 15:23:18 +0000

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

Hi Bertrand, On Mon, Feb 9, 2026 at 4:11 PM Bertrand Marquis <Bertrand.Marquis@xxxxxxx> wrote: > > Hi Jens, > > > On 9 Feb 2026, at 15:26, Bertrand Marquis <Bertrand.Marquis@xxxxxxx> wrote: > > > > Hi Jens, > > > >> On 9 Feb 2026, at 10:31, Jens Wiklander <jens.wiklander@xxxxxxxxxx> wrote: > >> > >> Hi Bertrand, > >> > >> On Tue, Feb 3, 2026 at 6:38 PM Bertrand Marquis > >> <bertrand.marquis@xxxxxxx> wrote: > >>> > >>> get_shm_pages() uses unchecked address arithmetic and does not enforce > >>> alignment, so malformed descriptors can cause overflow or slip through > >>> validation. The reclaim path also repeats handle-to-shm-mem conversion > >>> in multiple places, duplicating error handling. > >>> > >>> Harden page parsing and reclaim handling: > >>> - add ffa_safe_addr_add() and use it to detect address overflows > >>> - enforce alignment checks in get_shm_pages() and return FF-A errors > >>> - introduce ffa_secure_reclaim() and use it for MEM_RECLAIM and teardown > >>> - simplify ffa_mem_share() argument handling and allow max page count > >>> > >>> Functional impact: invalid or misaligned memory ranges now fail earlier > >>> with proper error codes; behavior for valid descriptors is unchanged. > >>> > >>> Signed-off-by: Bertrand Marquis <bertrand.marquis@xxxxxxx> > >>> --- > >>> xen/arch/arm/tee/ffa_private.h | 11 +++++++ > >>> xen/arch/arm/tee/ffa_shm.c | 57 +++++++++++++++++----------------- > >>> 2 files changed, 40 insertions(+), 28 deletions(-) > >>> > >>> diff --git a/xen/arch/arm/tee/ffa_private.h > >>> b/xen/arch/arm/tee/ffa_private.h > >>> index b625f1c72914..58562d8e733c 100644 > >>> --- a/xen/arch/arm/tee/ffa_private.h > >>> +++ b/xen/arch/arm/tee/ffa_private.h > >>> @@ -632,4 +632,15 @@ static inline void ffa_uuid_set(struct ffa_uuid *id, > >>> uint32_t val0, > >>> id->val[1] = ((uint64_t)val3 << 32U) | val2; > >>> } > >>> > >>> +/* > >>> + * Common overflow-safe helper to verify that adding a number of pages > >>> to an > >>> + * address will not wrap around. > >>> + */ > >>> +static inline bool ffa_safe_addr_add(uint64_t addr, uint64_t pages) > >>> +{ > >>> + uint64_t off = pages * FFA_PAGE_SIZE; > >>> + > >>> + return (off / FFA_PAGE_SIZE) == pages && addr <= UINT64_MAX - off; > >>> +} > >>> + > >>> #endif /*__FFA_PRIVATE_H__*/ > >>> diff --git a/xen/arch/arm/tee/ffa_shm.c b/xen/arch/arm/tee/ffa_shm.c > >>> index 90800e44a86a..4c0b45cde6ee 100644 > >>> --- a/xen/arch/arm/tee/ffa_shm.c > >>> +++ b/xen/arch/arm/tee/ffa_shm.c > >>> @@ -96,16 +96,14 @@ struct ffa_shm_mem { > >>> struct page_info *pages[]; > >>> }; > >>> > >>> -static int32_t ffa_mem_share(uint32_t tot_len, uint32_t frag_len, > >>> - register_t addr, uint32_t pg_count, > >>> - uint64_t *handle) > >>> +static int32_t ffa_mem_share(uint32_t tot_len, uint64_t *handle) > >>> { > >>> struct arm_smccc_1_2_regs arg = { > >>> .a0 = FFA_MEM_SHARE_64, > >>> .a1 = tot_len, > >>> - .a2 = frag_len, > >>> - .a3 = addr, > >>> - .a4 = pg_count, > >>> + .a2 = tot_len, > >>> + .a3 = 0, > >>> + .a4 = 0, > >>> }; > >>> struct arm_smccc_1_2_regs resp; > >>> > >>> @@ -131,12 +129,16 @@ static int32_t ffa_mem_share(uint32_t tot_len, > >>> uint32_t frag_len, > >>> } > >>> } > >>> > >>> -static int32_t ffa_mem_reclaim(uint32_t handle_lo, uint32_t handle_hi, > >>> - uint32_t flags) > >>> +static int32_t ffa_secure_reclaim(struct ffa_shm_mem *shm, uint32_t > >>> flags) > >> > >> I agree with moving the uint64_to_regpair() call into this function, > >> but I'm puzzled by the new name. What's secure? > > > > This is to distinguish with reclaim for VM to VM sharing in the future as > > here > > reclaim is asked to the secure world. > > > > But in fact to be coherent I should also have renamed ffa_mem_share to > > ffa_secure_share. > > > > Would you be ok with that ? > > Looking at this a bit more, we are usually using spmc and not secure. > > Would you be ok if I rename both those to: > ffa_spmc_share > ffa_spmc_reclaim Yes, that sounds good. Cheers, Jens

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.