Xen project Mailing List

Re: [PATCH 3/6] xen/arm: ffa: Tighten notification parameter validation

To: Jens Wiklander <jens.wiklander@xxxxxxxxxx>

From: Bertrand Marquis <Bertrand.Marquis@xxxxxxx>

Date: Thu, 23 Apr 2026 07:30:47 +0000

Accept-language: en-GB, en-US

Arc-authentication-results: i=2; mx.microsoft.com 1; spf=pass (sender ip is 4.158.2.129) smtp.rcpttodomain=linaro.org smtp.mailfrom=arm.com; dmarc=pass (p=none sp=none pct=100) action=none header.from=arm.com; dkim=pass (signature was verified) header.d=arm.com; arc=pass (0 oda=1 ltdi=1 spf=[1,1,smtp.mailfrom=arm.com] dkim=[1,1,header.d=arm.com] dmarc=[1,1,header.from=arm.com])

Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=arm.com; dmarc=pass action=none header.from=arm.com; dkim=pass header.d=arm.com; arc=none

Arc-message-signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=A+U4ZTCNpG/zKUfH/DZUWbWWykBY0TObICukbdViixg=; b=ABfPSj9dzYQ5EAqXiaBJY2QxtiVy7wVhV+HcHwtW6NScPPlgv0igQ0EZcYu382jzZBvPsg5A/+TfTLwlIjDTe36gvGm2cXvY0bIJeeiyiDefN2EnQ5974JFZPD2HDQchWMMszbMjMYSZKV2mNn1niuv253PEd1ispo4lFJ4K1dAzm943Vwd0AJgJTSkUtRIbKLYTsp7m2ODi30/yicWUhoNpJbZQ3BeQhvnRO5nzyMQZb4PmU/8dlgANwDAjdi6KBLQIvWaNSk/xtror37Ar+1m3Tq1IFePcYsy9z5tL5VKIaa2mgYp4g1Kx6oxmbMnBJOBqRuoxfk5RsRJoK1hzKg==

Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=A+U4ZTCNpG/zKUfH/DZUWbWWykBY0TObICukbdViixg=; b=Bwiap8u9WX/PKNQQyxYiP2Awbd0AgDaJkTnEMW/mlmh+XzTazFOPzftUdHwUADkvpDBJ566gzF5M5mpr8zUV+C9MHyAYoY7UiyKixmCqpClUwW37QLti8Eh6u+kLdADlifZgffl6Orn8ng1CXj5pB0B0ZgvH97VHw+RNdN1DXcYRWEVhXWxmJpzQoxHNs8lZEkmeoGlpexxYtLnygmEc8A3BBi/8Kgjei5NOv6xR/y8KShu+5VkqxgwuDTTl2RjGZHKiWyNcUuFHcPTGc1S+5bnWuLdFooAulhOz6i5x0qpi3i9HTdsA3n/Naz3qBpOf6QAHjCW9lAYOYl0LrJNE3g==

Arc-seal: i=2; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=pass; b=bvVSD+/uLeLtrrbLvRGkRX63CWL+5Ryd6OinsWdbC7s3+UOD5joisztdwAJCgD4hPOknjlTPxWLFmRsNWcTRye2CxXknCQl1g3GDrXGYHlGpH3z58tLkydEbXOzC9BYu3b1GbhU12lcjfTW9g2bWcKGhM9A+5zfksTaAIB/vB6v6mPKooHysoVEamkoVMO8pnKgGhW3XBWmkScnkGw2NrQhkHNB6WQD7QYQ7cD6IJDLEUzrCutoZkCWQETGcmvD/XQvmUghXRPQRAGDW1azckTIDQqNYW2kL3hw3yWjx3RYfR2uqLveQekVVA0GyWMpGauUK+qw/65tEskbZqm/cng==

Arc-seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=B7I+ZJj6J+Np1rrPrRw4ko8AviMPV/OWD5nruY1nsNnTqGv7BeCOp7sQh3mQbp8p1xVmfXtvVZkIZGiA+buNDN/sdyZPBmOI0v0mkurw6ns9zQtyCUiwv+fL4bBOWjP439zsm9Dcaya1oMKr6OjKOq4qc17lA/2BRZrL4V1kEStA0Gp35SQvurrbsmR4UyopXhuqec0FhabWA8H7Y9jFi0bKwnRNPj3x39SqXbhCe0VmOKJw3J8jQSCFVEQr2mvP48AtMeqGjkOlbLjinUirMCngSen+kdEWh254mf9Xs3ZGG/GASVCdQnwwKCvOhbwJrn0jlfbzQqvVEzKAc+TUyQ==

Authentication-results: eu.smtp.expurgate.cloud; dkim=pass header.s=selector1 header.d=arm.com header.i="@arm.com" header.h="From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck"; dkim=pass header.s=selector1 header.d=arm.com header.i="@arm.com" header.h="From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck"

Authentication-results-original: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=arm.com;

Cc: "xen-devel@xxxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxxx>, Volodymyr Babchuk <volodymyr_babchuk@xxxxxxxx>, Stefano Stabellini <sstabellini@xxxxxxxxxx>, Julien Grall <julien@xxxxxxx>, Michal Orzel <michal.orzel@xxxxxxx>

Delivery-date: Thu, 23 Apr 2026 07:32:00 +0000

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

Nodisclaimer: true

Thread-index: AQHcznAJmFfrrKKQhkqwUOWc2qiMrLXq+6oAgAFNnoA=

Thread-topic: [PATCH 3/6] xen/arm: ffa: Tighten notification parameter validation

Hi Jens, > On 22 Apr 2026, at 13:36, Jens Wiklander <jens.wiklander@xxxxxxxxxx> wrote: > > Hi Bertand, > > On Fri, Apr 17, 2026 at 3:41 PM Bertrand Marquis > <bertrand.marquis@xxxxxxx> wrote: >> >> The notification handlers still validate overlapping subsets of their >> inputs. BIND, UNBIND, and SET each decode caller and destination IDs >> locally, GET still accepts a non-zero receiver vCPU ID and reserved flag >> bits, and SET still accepts non-zero NS-virtual flags. BIND also treats >> unsupported non-zero flag encodings as a supported-feature failure >> instead of as malformed input. >> >> Add ffa_notif_parse_params() and use it to centralize the common >> caller/destination and non-zero bitmap checks for BIND, UNBIND, and SET. >> Also reject malformed GET and SET requests locally before touching >> cached state or forwarding anything to the SPMC. Keep BIND limited to >> global notifications and reject unsupported non-zero flag encodings with >> INVALID_PARAMETERS. >> >> - add a shared parameter parser for notification caller/destination >> validation >> - wire BIND and UNBIND through the shared parser and reject unsupported >> bind flag encodings with INVALID_PARAMETERS >> - reject non-zero receiver vCPU and reserved flag bits in >> FFA_NOTIFICATION_GET >> - reject non-zero flags in the NS-virtual FFA_NOTIFICATION_SET path >> >> Functional impact: malformed notification requests are rejected >> consistently earlier in the mediator. >> >> Signed-off-by: Bertrand Marquis <bertrand.marquis@xxxxxxx> >> --- >> xen/arch/arm/tee/ffa_notif.c | 61 +++++++++++++++++++++++++++++------- >> 1 file changed, 50 insertions(+), 11 deletions(-) >> >> diff --git a/xen/arch/arm/tee/ffa_notif.c b/xen/arch/arm/tee/ffa_notif.c >> index d15119409a25..491db3b04df5 100644 >> --- a/xen/arch/arm/tee/ffa_notif.c >> +++ b/xen/arch/arm/tee/ffa_notif.c >> @@ -42,21 +42,40 @@ static void inject_notif_pending(struct domain *d) >> d); >> } >> >> +static int32_t ffa_notif_parse_params(uint16_t dom_id, uint16_t caller_id, >> + uint16_t dest_id, uint32_t bitmap_lo, >> + uint32_t bitmap_hi) > > Nit: I would have picked ffa_notif_validate_params() or > ffa_notif_check_params(), but that might be more a matter of taste. Agree, I will rename it to validate_params. > Anyway, looks good: > Reviewed-by: Jens Wiklander <jens.wiklander@xxxxxxxxxx> Thanks Bertrand

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.