From nobody Fri Apr  3 03:01:28 2026
Received: from cstnet.cn (smtp81.cstnet.cn [159.226.251.81])
	(using TLSv1.2 with cipher DHE-RSA-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 157261D130E;
	Wed, 25 Mar 2026 00:55:10 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=159.226.251.81
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1774400113; cv=none;
 b=ctuH/l6s+LzF8CUNlJ82TubzLjQLk+jm+bP4erYVzXqgM+qC5IYmpZ+Gy9YSufy4JLhLJS5TkX9W9QNgAVC4w99t5rnD5gsQ+0SHXDWlPUnblv4CkjjXZXbWb0SCNyaCSkX5aqTFRSMoJ0NIdM0CTc3YRvJ8ZBT8zrCXq1taEk0=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1774400113; c=relaxed/simple;
	bh=qcvPTnd5deZ4iLXShrdk3IyWOpcO+tDR71cJg0w/wYA=;
	h=From:To:Cc:Subject:Date:Message-ID:MIME-Version;
 b=CdmhnHztqZGHaX1ZGE0hY1j8XVqiP+4nBOkTHfvy3dAYBfo0B8BNLV5Uaa+qytQkAYN4rdL3J9cY8sFntMGMrei14yjAzF8gi2kmHNgtTEcRRVSXbnpLwdho2j3t6vpbEq4Zkj7Tq2bs69kAyJIqL9ckbwh1lTpHP+4dwv6qzWk=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=none (p=none dis=none) header.from=iscas.ac.cn;
 spf=pass smtp.mailfrom=iscas.ac.cn; arc=none smtp.client-ip=159.226.251.81
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=none (p=none dis=none) header.from=iscas.ac.cn
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=iscas.ac.cn
Received: from localhost.localdomain (unknown [111.196.245.197])
	by APP-03 (Coremail) with SMTP id rQCowAAnQNdpMsNpuUm5Cw--.34606S2;
	Wed, 25 Mar 2026 08:55:05 +0800 (CST)
From: Pengpeng Hou <pengpeng@iscas.ac.cn>
To: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>,
	Konrad Dybcio <konradybcio@kernel.org>
Cc: linux-arm-msm@vger.kernel.org,
	linux-kernel@vger.kernel.org,
	pengpeng@iscas.ac.cn
Subject: [PATCH v3] misc: fastrpc: validate overlap-derived invoke buffer
 ranges
Date: Wed, 25 Mar 2026 08:55:05 +0800
Message-ID: <20260325005505.98257-1-pengpeng@iscas.ac.cn>
X-Mailer: git-send-email 2.50.1
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
X-CM-TRANSID: rQCowAAnQNdpMsNpuUm5Cw--.34606S2
X-Coremail-Antispam: 1UD129KBjvJXoWxZry7ZFWkZw1UAF1kJry3CFg_yoW5ur4fpF
	s8Ka1rGF45Xw47GF1xZF1DuryfGws5JryUGrWfG34Sv343tFy0gFyvkFyY93W8CrZrZa4U
	Krs8ta9IkF43ZaUanT9S1TB71UUUUU7qnTZGkaVYY2UrUUUUjbIjqfuFe4nvWSU5nxnvy2
	9KBjDU0xBIdaVrnRJUUUkG14x267AKxVWUJVW8JwAFc2x0x2IEx4CE42xK8VAvwI8IcIk0
	rVWrJVCq3wAFIxvE14AKwVWUJVWUGwA2ocxC64kIII0Yj41l84x0c7CEw4AK67xGY2AK02
	1l84ACjcxK6xIIjxv20xvE14v26ryj6F1UM28EF7xvwVC0I7IYx2IY6xkF7I0E14v26r4j
	6F4UM28EF7xvwVC2z280aVAFwI0_Cr1j6rxdM28EF7xvwVC2z280aVCY1x0267AKxVWxJr
	0_GcWle2I262IYc4CY6c8Ij28IcVAaY2xG8wAqx4xG64xvF2IEw4CE5I8CrVC2j2WlYx0E
	2Ix0cI8IcVAFwI0_JrI_JrylYx0Ex4A2jsIE14v26r1j6r4UMcvjeVCFs4IE7xkEbVWUJV
	W8JwACjcxG0xvY0x0EwIxGrwACjI8F5VA0II8E6IAqYI8I648v4I1lc7CjxVAaw2AFwI0_
	JF0_Jw1l42xK82IYc2Ij64vIr41l4I8I3I0E4IkC6x0Yz7v_Jr0_Gr1lx2IqxVAqx4xG67
	AKxVWUJVWUGwC20s026x8GjcxK67AKxVWUGVWUWwC2zVAF1VAY17CE14v26r126r1DMIIY
	rxkI7VAKI48JMIIF0xvE2Ix0cI8IcVAFwI0_Jr0_JF4lIxAIcVC0I7IYx2IY6xkF7I0E14
	v26r1j6r4UMIIF0xvE42xK8VAvwI8IcIk0rVWUJVWUCwCI42IY6I8E87Iv67AKxVWUJVW8
	JwCI42IY6I8E87Iv6xkF7I0E14v26r1j6r4UYxBIdaVFxhVjvjDU0xZFpf9x0JUBmhwUUU
	UU=
X-CM-SenderInfo: pshqw1xhqjqxpvfd2hldfou0/
Content-Type: text/plain; charset="utf-8"

fastrpc_get_args() derives rpra[i].buf.pv from the overlap offset that
was computed from user-controlled argument pointers and lengths. The
resulting destination pointer is later passed to copy_from_user() or
memcpy() without checking that the overlap-adjusted range still stays
inside the allocated invoke buffer.

Reject overlap-derived destinations that would point before the start of
the invoke buffer or that would extend past the end of the allocated
packet before storing rpra[i].buf.pv and before copying inline
arguments into the buffer. Static code analysis of the overlap handling
in fastrpc_get_args() identified this path.

Fixes: c68cfb718c8f ("misc: fastrpc: Add support for context Invoke method")
Signed-off-by: Pengpeng Hou <pengpeng@iscas.ac.cn>
---
v3:
- separate tags from the free-flow text in the commit message
- rewrite the overlap bounds checks using explicit overflow-safe
  start/end calculations
- post the new revision as a new thread as requested in review

 drivers/misc/fastrpc.c | 28 ++++++++++++++++++++++++++--
 1 file changed, 26 insertions(+), 2 deletions(-)

diff --git a/drivers/misc/fastrpc.c b/drivers/misc/fastrpc.c
index 47356a5d5804..587733e6702a 100644
--- a/drivers/misc/fastrpc.c
+++ b/drivers/misc/fastrpc.c
@@ -16,6 +16,7 @@
 #include <linux/platform_device.h>
 #include <linux/sort.h>
 #include <linux/of_platform.h>
+#include <linux/overflow.h>
 #include <linux/rpmsg.h>
 #include <linux/scatterlist.h>
 #include <linux/slab.h>
@@ -992,7 +993,7 @@ static int fastrpc_get_args(u32 kernel, struct fastrpc_=
invoke_ctx *ctx)
 	int inbufs, i, oix, err =3D 0;
 	u64 len, rlen, pkt_size;
 	u64 pg_start, pg_end;
-	uintptr_t args;
+	uintptr_t args, buf_start, buf_end;
 	int metalen;
=20
 	inbufs =3D REMOTE_SCALARS_INBUFS(ctx->sc);
@@ -1016,6 +1017,11 @@ static int fastrpc_get_args(u32 kernel, struct fastr=
pc_invoke_ctx *ctx)
 	rpra =3D ctx->buf->virt;
 	list =3D fastrpc_invoke_buf_start(rpra, ctx->nscalars);
 	pages =3D fastrpc_phy_page_start(list, ctx->nscalars);
+	buf_start =3D (uintptr_t)ctx->buf->virt;
+	if (check_add_overflow(buf_start, (uintptr_t)pkt_size, &buf_end)) {
+		err =3D -EINVAL;
+		goto bail;
+	}
 	args =3D (uintptr_t)ctx->buf->virt + metalen;
 	rlen =3D pkt_size - metalen;
 	ctx->rpra =3D rpra;
@@ -1053,6 +1059,7 @@ static int fastrpc_get_args(u32 kernel, struct fastrp=
c_invoke_ctx *ctx)
 			pages[i].size =3D (pg_end - pg_start + 1) * PAGE_SIZE;
=20
 		} else {
+			uintptr_t dst, end, offset_start;
=20
 			if (ctx->olaps[oix].offset =3D=3D 0) {
 				rlen -=3D ALIGN(args, FASTRPC_ALIGN) - args;
@@ -1064,7 +1071,24 @@ static int fastrpc_get_args(u32 kernel, struct fastr=
pc_invoke_ctx *ctx)
 			if (rlen < mlen)
 				goto bail;
=20
-			rpra[i].buf.pv =3D args - ctx->olaps[oix].offset;
+			if (check_add_overflow(buf_start,
+					       (uintptr_t)ctx->olaps[oix].offset,
+					       &offset_start) ||
+			    offset_start > args) {
+				err =3D -EINVAL;
+				goto bail;
+			}
+
+			if (check_sub_overflow(args,
+					       (uintptr_t)ctx->olaps[oix].offset,
+					       &dst) ||
+			    check_add_overflow(dst, (uintptr_t)len, &end) ||
+			    end > buf_end) {
+				err =3D -EINVAL;
+				goto bail;
+			}
+
+			rpra[i].buf.pv =3D dst;
 			pages[i].addr =3D ctx->buf->dma_addr -
 					ctx->olaps[oix].offset +
 					(pkt_size - rlen);
--=20
2.50.1 (Apple Git-155)