Merge "fix(versal-net): fix BLXX memory limits for user defined values" into integration
diff --git a/plat/intel/soc/common/include/socfpga_fcs.h b/plat/intel/soc/common/include/socfpga_fcs.h
index 8a8f348..6bb70e0 100644
--- a/plat/intel/soc/common/include/socfpga_fcs.h
+++ b/plat/intel/soc/common/include/socfpga_fcs.h
@@ -72,6 +72,9 @@
#define FCS_AES_MIN_DATA_SIZE 0x20 /* 32 Byte */
#define FCS_AES_CMD_MAX_WORD_SIZE 15U
+#define FCS_MAX_DATA_SIZE 0x20000000 /* 512 MB */
+#define FCS_MIN_DATA_SIZE 0x8 /* 8 Bytes */
+
#define FCS_GET_DIGEST_CMD_MAX_WORD_SIZE 7U
#define FCS_GET_DIGEST_RESP_MAX_WORD_SIZE 19U
#define FCS_MAC_VERIFY_CMD_MAX_WORD_SIZE 23U
diff --git a/plat/intel/soc/common/sip/socfpga_sip_fcs.c b/plat/intel/soc/common/sip/socfpga_sip_fcs.c
index d99026b..beaa720 100644
--- a/plat/intel/soc/common/sip/socfpga_sip_fcs.c
+++ b/plat/intel/soc/common/sip/socfpga_sip_fcs.c
@@ -1073,6 +1073,7 @@
uint32_t resp_len;
uint32_t payload[FCS_MAC_VERIFY_CMD_MAX_WORD_SIZE] = {0U};
uintptr_t mac_offset;
+ uint32_t dst_size_check = 0;
if (dst_size == NULL || mbox_error == NULL) {
return INTEL_SIP_SMC_STATUS_REJECTED;
@@ -1097,6 +1098,14 @@
return INTEL_SIP_SMC_STATUS_REJECTED;
}
+ dst_size_check = *dst_size;
+ if ((dst_size_check > FCS_MAX_DATA_SIZE ||
+ dst_size_check < FCS_MIN_DATA_SIZE) ||
+ (src_size > FCS_MAX_DATA_SIZE ||
+ src_size < FCS_MIN_DATA_SIZE)) {
+ return INTEL_SIP_SMC_STATUS_REJECTED;
+ }
+
resp_len = *dst_size / MBOX_WORD_BYTE;
/* Prepare crypto header */
@@ -1149,6 +1158,12 @@
FCS_CS_FIELD_FLAG_FINALIZE) {
/* Copy mac data to command */
mac_offset = src_addr + data_size;
+
+ if ((i + ((src_size - data_size) / MBOX_WORD_BYTE)) >
+ FCS_MAC_VERIFY_CMD_MAX_WORD_SIZE) {
+ return INTEL_SIP_SMC_STATUS_REJECTED;
+ }
+
memcpy((uint8_t *) &payload[i], (uint8_t *) mac_offset,
src_size - data_size);
@@ -1189,7 +1204,7 @@
uint32_t resp_len;
uint32_t payload[FCS_MAC_VERIFY_CMD_MAX_WORD_SIZE] = {0U};
uintptr_t mac_offset;
-
+ uint32_t dst_size_check = 0;
/*
* Source data must be 4 bytes aligned
* User data must be 8 bytes aligned
@@ -1214,6 +1229,14 @@
return INTEL_SIP_SMC_STATUS_REJECTED;
}
+ dst_size_check = *dst_size;
+ if ((dst_size_check > FCS_MAX_DATA_SIZE ||
+ dst_size_check < FCS_MIN_DATA_SIZE) ||
+ (src_size > FCS_MAX_DATA_SIZE ||
+ src_size < FCS_MIN_DATA_SIZE)) {
+ return INTEL_SIP_SMC_STATUS_REJECTED;
+ }
+
resp_len = *dst_size / MBOX_WORD_BYTE;
/* Prepare crypto header */
@@ -1269,6 +1292,12 @@
* mac_offset = MAC data
*/
mac_offset = dst_addr;
+
+ if ((i + ((src_size - data_size) / MBOX_WORD_BYTE)) >
+ FCS_MAC_VERIFY_CMD_MAX_WORD_SIZE) {
+ return INTEL_SIP_SMC_STATUS_REJECTED;
+ }
+
memcpy((uint8_t *) &payload[i], (uint8_t *) mac_offset,
src_size - data_size);
@@ -1316,6 +1345,7 @@
uint32_t payload[FCS_ECDSA_HASH_SIGN_CMD_MAX_WORD_SIZE] = {0U};
uint32_t resp_len;
uintptr_t hash_data_addr;
+ uint32_t dst_size_check = 0;
if ((dst_size == NULL) || (mbox_error == NULL)) {
return INTEL_SIP_SMC_STATUS_REJECTED;
@@ -1331,6 +1361,14 @@
return INTEL_SIP_SMC_STATUS_REJECTED;
}
+ dst_size_check = *dst_size;
+ if ((dst_size_check > FCS_MAX_DATA_SIZE ||
+ dst_size_check < FCS_MIN_DATA_SIZE) ||
+ (src_size > FCS_MAX_DATA_SIZE ||
+ src_size < FCS_MIN_DATA_SIZE)) {
+ return INTEL_SIP_SMC_STATUS_REJECTED;
+ }
+
resp_len = *dst_size / MBOX_WORD_BYTE;
/* Prepare command payload */
@@ -1357,6 +1395,12 @@
/* Hash Data */
i++;
hash_data_addr = src_addr;
+
+ if ((i + ((src_size) / MBOX_WORD_BYTE)) >
+ FCS_ECDSA_HASH_SIGN_CMD_MAX_WORD_SIZE) {
+ return INTEL_SIP_SMC_STATUS_REJECTED;
+ }
+
memcpy((uint8_t *) &payload[i], (uint8_t *) hash_data_addr,
src_size);
@@ -1400,6 +1444,7 @@
uint32_t payload[FCS_ECDSA_HASH_SIG_VERIFY_CMD_MAX_WORD_SIZE] = {0U};
uint32_t resp_len;
uintptr_t hash_sig_pubkey_addr;
+ uint32_t dst_size_check = 0;
if ((dst_size == NULL) || (mbox_error == NULL)) {
return INTEL_SIP_SMC_STATUS_REJECTED;
@@ -1415,6 +1460,14 @@
return INTEL_SIP_SMC_STATUS_REJECTED;
}
+ dst_size_check = *dst_size;
+ if ((dst_size_check > FCS_MAX_DATA_SIZE ||
+ dst_size_check < FCS_MIN_DATA_SIZE) ||
+ (src_size > FCS_MAX_DATA_SIZE ||
+ src_size < FCS_MIN_DATA_SIZE)) {
+ return INTEL_SIP_SMC_STATUS_REJECTED;
+ }
+
resp_len = *dst_size / MBOX_WORD_BYTE;
/* Prepare command payload */
@@ -1443,6 +1496,12 @@
/* Hash Data Word, Signature Data Word and Public Key Data word */
i++;
hash_sig_pubkey_addr = src_addr;
+
+ if ((i + ((src_size) / MBOX_WORD_BYTE)) >
+ FCS_ECDSA_HASH_SIG_VERIFY_CMD_MAX_WORD_SIZE) {
+ return INTEL_SIP_SMC_STATUS_REJECTED;
+ }
+
memcpy((uint8_t *) &payload[i],
(uint8_t *) hash_sig_pubkey_addr, src_size);
@@ -1690,6 +1749,7 @@
uint32_t payload[FCS_ECDSA_SHA2_DATA_SIG_VERIFY_CMD_MAX_WORD_SIZE] = {0U};
uint32_t resp_len;
uintptr_t sig_pubkey_offset;
+ uint32_t dst_size_check = 0;
if ((dst_size == NULL) || (mbox_error == NULL)) {
return INTEL_SIP_SMC_STATUS_REJECTED;
@@ -1700,6 +1760,10 @@
return INTEL_SIP_SMC_STATUS_REJECTED;
}
+ if (data_size > src_size) {
+ return INTEL_SIP_SMC_STATUS_REJECTED;
+ }
+
if (!is_size_4_bytes_aligned(src_size)) {
return INTEL_SIP_SMC_STATUS_REJECTED;
}
@@ -1714,6 +1778,14 @@
return INTEL_SIP_SMC_STATUS_REJECTED;
}
+ dst_size_check = *dst_size;
+ if ((dst_size_check > FCS_MAX_DATA_SIZE ||
+ dst_size_check < FCS_MIN_DATA_SIZE) ||
+ (src_size > FCS_MAX_DATA_SIZE ||
+ src_size < FCS_MIN_DATA_SIZE)) {
+ return INTEL_SIP_SMC_STATUS_REJECTED;
+ }
+
resp_len = *dst_size / MBOX_WORD_BYTE;
/* Prepare crypto header */
@@ -1761,6 +1833,12 @@
FCS_CS_FIELD_FLAG_FINALIZE) {
/* Signature + Public Key Data */
sig_pubkey_offset = src_addr + data_size;
+
+ if ((i + ((src_size - data_size) / MBOX_WORD_BYTE)) >
+ FCS_ECDSA_SHA2_DATA_SIG_VERIFY_CMD_MAX_WORD_SIZE) {
+ return INTEL_SIP_SMC_STATUS_REJECTED;
+ }
+
memcpy((uint8_t *) &payload[i], (uint8_t *) sig_pubkey_offset,
src_size - data_size);
@@ -1801,6 +1879,7 @@
uint32_t payload[FCS_ECDSA_SHA2_DATA_SIG_VERIFY_CMD_MAX_WORD_SIZE] = {0U};
uint32_t resp_len;
uintptr_t sig_pubkey_offset;
+ uint32_t dst_size_check = 0;
/*
* Source data must be 4 bytes aligned
@@ -1819,11 +1898,23 @@
return INTEL_SIP_SMC_STATUS_REJECTED;
}
+ if (data_size > src_size) {
+ return INTEL_SIP_SMC_STATUS_REJECTED;
+ }
+
if (!is_address_in_ddr_range(src_addr, src_size) ||
!is_address_in_ddr_range(dst_addr, *dst_size)) {
return INTEL_SIP_SMC_STATUS_REJECTED;
}
+ dst_size_check = *dst_size;
+ if ((dst_size_check > FCS_MAX_DATA_SIZE ||
+ dst_size_check < FCS_MIN_DATA_SIZE) ||
+ (src_size > FCS_MAX_DATA_SIZE ||
+ src_size < FCS_MIN_DATA_SIZE)) {
+ return INTEL_SIP_SMC_STATUS_REJECTED;
+ }
+
resp_len = *dst_size / MBOX_WORD_BYTE;
/* Prepare crypto header */
@@ -1874,6 +1965,12 @@
* sig_pubkey_offset is Signature + Public Key Data
*/
sig_pubkey_offset = dst_addr;
+
+ if ((i + ((src_size - data_size) / MBOX_WORD_BYTE)) >
+ FCS_ECDSA_SHA2_DATA_SIG_VERIFY_CMD_MAX_WORD_SIZE) {
+ return INTEL_SIP_SMC_STATUS_REJECTED;
+ }
+
memcpy((uint8_t *) &payload[i], (uint8_t *) sig_pubkey_offset,
src_size - data_size);
@@ -1990,11 +2087,13 @@
uint32_t payload[FCS_ECDH_REQUEST_CMD_MAX_WORD_SIZE] = {0U};
uint32_t resp_len;
uintptr_t pubkey;
+ uint32_t dst_size_check = 0;
if ((dst_size == NULL) || (mbox_error == NULL)) {
return INTEL_SIP_SMC_STATUS_REJECTED;
}
+
if (fcs_ecdh_request_param.session_id != session_id ||
fcs_ecdh_request_param.context_id != context_id) {
return INTEL_SIP_SMC_STATUS_REJECTED;
@@ -2005,6 +2104,14 @@
return INTEL_SIP_SMC_STATUS_REJECTED;
}
+ dst_size_check = *dst_size;
+ if ((dst_size_check > FCS_MAX_DATA_SIZE ||
+ dst_size_check < FCS_MIN_DATA_SIZE) ||
+ (src_size > FCS_MAX_DATA_SIZE ||
+ src_size < FCS_MIN_DATA_SIZE)) {
+ return INTEL_SIP_SMC_STATUS_REJECTED;
+ }
+
resp_len = *dst_size / MBOX_WORD_BYTE;
/* Prepare command payload */
@@ -2028,6 +2135,12 @@
i++;
/* Public key data */
pubkey = src_addr;
+
+ if ((i + ((src_size) / MBOX_WORD_BYTE)) >
+ FCS_ECDH_REQUEST_CMD_MAX_WORD_SIZE) {
+ return INTEL_SIP_SMC_STATUS_REJECTED;
+ }
+
memcpy((uint8_t *) &payload[i], (uint8_t *) pubkey, src_size);
i += src_size / MBOX_WORD_BYTE;
@@ -2162,6 +2275,11 @@
fcs_aes_crypt_payload[i] = fcs_aes_init_payload.key_id;
i++;
+ if ((i + ((fcs_aes_init_payload.param_size) / MBOX_WORD_BYTE)) >
+ FCS_AES_CMD_MAX_WORD_SIZE) {
+ return INTEL_SIP_SMC_STATUS_REJECTED;
+ }
+
memcpy((uint8_t *) &fcs_aes_crypt_payload[i],
(uint8_t *) fcs_aes_init_payload.crypto_param,
fcs_aes_init_payload.param_size);
diff --git a/plat/intel/soc/common/soc/socfpga_handoff.c b/plat/intel/soc/common/soc/socfpga_handoff.c
index 4bb3a96..a3146b4 100644
--- a/plat/intel/soc/common/soc/socfpga_handoff.c
+++ b/plat/intel/soc/common/soc/socfpga_handoff.c
@@ -4,6 +4,7 @@
* SPDX-License-Identifier: BSD-3-Clause
*/
+#include <errno.h>
#include <string.h>
#include "socfpga_handoff.h"
@@ -17,6 +18,10 @@
uint32_t *buffer;
handoff *handoff_ptr = (handoff *) PLAT_HANDOFF_OFFSET;
+ if (sizeof(*handoff_ptr) > sizeof(handoff)) {
+ return -EOVERFLOW;
+ }
+
memcpy(reverse_hoff_ptr, handoff_ptr, sizeof(handoff));
buffer = (uint32_t *)reverse_hoff_ptr;
diff --git a/plat/intel/soc/common/soc/socfpga_mailbox.c b/plat/intel/soc/common/soc/socfpga_mailbox.c
index b76cde0..525ac2b 100644
--- a/plat/intel/soc/common/soc/socfpga_mailbox.c
+++ b/plat/intel/soc/common/soc/socfpga_mailbox.c
@@ -185,6 +185,7 @@
uint32_t resp_data;
uint32_t ret_resp_len = 0;
uint8_t is_done = 0;
+ uint32_t resp_len_check = 0;
if ((mailbox_resp_ctr.flag & MBOX_PAYLOAD_FLAG_BUSY) != 0) {
ret_resp_len = MBOX_RESP_LEN(
@@ -244,6 +245,12 @@
*resp_len = ret_resp_len;
}
+ resp_len_check = (uint32_t) *resp_len;
+
+ if (resp_len_check > MBOX_DATA_MAX_LEN) {
+ return MBOX_RET_ERROR;
+ }
+
memcpy((uint8_t *) response,
(uint8_t *) mailbox_resp_ctr.payload->data,
*resp_len * MBOX_WORD_BYTE);
diff --git a/plat/intel/soc/common/socfpga_sip_svc.c b/plat/intel/soc/common/socfpga_sip_svc.c
index f2b354d..ff050e4 100644
--- a/plat/intel/soc/common/socfpga_sip_svc.c
+++ b/plat/intel/soc/common/socfpga_sip_svc.c
@@ -444,6 +444,10 @@
static uint32_t intel_rsu_update(uint64_t update_address)
{
+ if (update_address > SIZE_MAX) {
+ return INTEL_SIP_SMC_STATUS_REJECTED;
+ }
+
intel_rsu_update_address = update_address;
return INTEL_SIP_SMC_STATUS_OK;
}
diff --git a/plat/xilinx/versal/include/platform_def.h b/plat/xilinx/versal/include/platform_def.h
index b7a94c1..6c1d8b6 100644
--- a/plat/xilinx/versal/include/platform_def.h
+++ b/plat/xilinx/versal/include/platform_def.h
@@ -33,12 +33,12 @@
*/
#ifndef VERSAL_ATF_MEM_BASE
# define BL31_BASE U(0xfffe0000)
-# define BL31_LIMIT U(0xffffffff)
+# define BL31_LIMIT U(0x100000000)
#else
# define BL31_BASE (VERSAL_ATF_MEM_BASE)
-# define BL31_LIMIT (VERSAL_ATF_MEM_BASE + VERSAL_ATF_MEM_SIZE - 1)
+# define BL31_LIMIT (VERSAL_ATF_MEM_BASE + VERSAL_ATF_MEM_SIZE)
# ifdef VERSAL_ATF_MEM_PROGBITS_SIZE
-# define BL31_PROGBITS_LIMIT (VERSAL_ATF_MEM_BASE + VERSAL_ATF_MEM_PROGBITS_SIZE - 1)
+# define BL31_PROGBITS_LIMIT (VERSAL_ATF_MEM_BASE + VERSAL_ATF_MEM_PROGBITS_SIZE)
# endif
#endif
@@ -47,10 +47,10 @@
******************************************************************************/
#ifndef VERSAL_BL32_MEM_BASE
# define BL32_BASE U(0x60000000)
-# define BL32_LIMIT U(0x7fffffff)
+# define BL32_LIMIT U(0x80000000)
#else
# define BL32_BASE (VERSAL_BL32_MEM_BASE)
-# define BL32_LIMIT (VERSAL_BL32_MEM_BASE + VERSAL_BL32_MEM_SIZE - 1)
+# define BL32_LIMIT (VERSAL_BL32_MEM_BASE + VERSAL_BL32_MEM_SIZE)
#endif
/*******************************************************************************
@@ -66,7 +66,7 @@
* TSP specific defines.
******************************************************************************/
#define TSP_SEC_MEM_BASE BL32_BASE
-#define TSP_SEC_MEM_SIZE (BL32_LIMIT - BL32_BASE + 1)
+#define TSP_SEC_MEM_SIZE (BL32_LIMIT - BL32_BASE)
/* ID of the secure physical generic timer interrupt used by the TSP */
#define TSP_IRQ_SEC_PHY_TIMER ARM_IRQ_SEC_PHY_TIMER
diff --git a/plat/xilinx/zynqmp/include/platform_def.h b/plat/xilinx/zynqmp/include/platform_def.h
index d623420..f6d9ce1 100644
--- a/plat/xilinx/zynqmp/include/platform_def.h
+++ b/plat/xilinx/zynqmp/include/platform_def.h
@@ -44,13 +44,13 @@
# define BL31_LIMIT U(0x100000000)
#else
# define BL31_BASE U(0x1000)
-# define BL31_LIMIT U(0x7ffff)
+# define BL31_LIMIT U(0x80000)
#endif
#else
# define BL31_BASE (ZYNQMP_ATF_MEM_BASE)
-# define BL31_LIMIT (ZYNQMP_ATF_MEM_BASE + ZYNQMP_ATF_MEM_SIZE - 1)
+# define BL31_LIMIT (ZYNQMP_ATF_MEM_BASE + ZYNQMP_ATF_MEM_SIZE)
# ifdef ZYNQMP_ATF_MEM_PROGBITS_SIZE
-# define BL31_PROGBITS_LIMIT (ZYNQMP_ATF_MEM_BASE + ZYNQMP_ATF_MEM_PROGBITS_SIZE - 1)
+# define BL31_PROGBITS_LIMIT (ZYNQMP_ATF_MEM_BASE + ZYNQMP_ATF_MEM_PROGBITS_SIZE)
# endif
#endif
@@ -59,10 +59,10 @@
******************************************************************************/
#ifndef ZYNQMP_BL32_MEM_BASE
# define BL32_BASE U(0x60000000)
-# define BL32_LIMIT U(0x7fffffff)
+# define BL32_LIMIT U(0x80000000)
#else
# define BL32_BASE (ZYNQMP_BL32_MEM_BASE)
-# define BL32_LIMIT (ZYNQMP_BL32_MEM_BASE + ZYNQMP_BL32_MEM_SIZE - 1)
+# define BL32_LIMIT (ZYNQMP_BL32_MEM_BASE + ZYNQMP_BL32_MEM_SIZE)
#endif
/*******************************************************************************
@@ -78,7 +78,7 @@
* TSP specific defines.
******************************************************************************/
#define TSP_SEC_MEM_BASE BL32_BASE
-#define TSP_SEC_MEM_SIZE (BL32_LIMIT - BL32_BASE + 1)
+#define TSP_SEC_MEM_SIZE (BL32_LIMIT - BL32_BASE)
/* ID of the secure physical generic timer interrupt used by the TSP */
#define TSP_IRQ_SEC_PHY_TIMER ARM_IRQ_SEC_PHY_TIMER