From eca60ff31d4fb9318fc3e598df26a44d4db546d2 Mon Sep 17 00:00:00 2001
From: Tammy Leino <tammy_leino@mentor.com>
Date: Mon, 25 Jul 2022 13:46:58 -0700
Subject: [PATCH] Application-supplied buffer addresses not checked for
 validity

Code must check for valid buffer address to avoid potential corruption
Signed-off-by: Tammy Leino <tammy_leino@mentor.com>
---
 lib/rpmsg/rpmsg_virtio.c | 22 +++++++++++++++++++++-
 1 file changed, 21 insertions(+), 1 deletion(-)

diff --git a/lib/rpmsg/rpmsg_virtio.c b/lib/rpmsg/rpmsg_virtio.c
index cd08f40b7..d38426265 100644
--- a/lib/rpmsg/rpmsg_virtio.c
+++ b/lib/rpmsg/rpmsg_virtio.c
@@ -288,9 +288,16 @@ static int _rpmsg_virtio_get_buffer_size(struct rpmsg_virtio_device *rvdev)
 
 static void rpmsg_virtio_hold_rx_buffer(struct rpmsg_device *rdev, void *rxbuf)
 {
+	struct rpmsg_virtio_device *rvdev;
 	struct rpmsg_hdr *rp_hdr;
 
-	(void)rdev;
+	rvdev = metal_container_of(rdev, struct rpmsg_virtio_device, rdev);
+
+	if ((rxbuf < ((struct metal_io_region *)rvdev->rvq->shm_io)->virt +
+	    sizeof(struct rpmsg_hdr)) ||
+	    (rxbuf >= (((struct metal_io_region *)rvdev->rvq->shm_io)->virt +
+	    ((struct metal_io_region *)rvdev->rvq->shm_io)->size)))
+		return;
 
 	rp_hdr = RPMSG_LOCATE_HDR(rxbuf);
 
@@ -307,6 +314,13 @@ static void rpmsg_virtio_release_rx_buffer(struct rpmsg_device *rdev,
 	uint32_t len;
 
 	rvdev = metal_container_of(rdev, struct rpmsg_virtio_device, rdev);
+
+	if ((rxbuf < ((struct metal_io_region *)rvdev->rvq->shm_io)->virt +
+	    sizeof(struct rpmsg_hdr)) ||
+	    (rxbuf >= (((struct metal_io_region *)rvdev->rvq->shm_io)->virt +
+	    ((struct metal_io_region *)rvdev->rvq->shm_io)->size)))
+		return;
+
 	rp_hdr = RPMSG_LOCATE_HDR(rxbuf);
 	/* The reserved field contains buffer index */
 	idx = (uint16_t)(rp_hdr->reserved & ~RPMSG_BUF_HELD);
@@ -377,6 +391,12 @@ static int rpmsg_virtio_send_offchannel_nocopy(struct rpmsg_device *rdev,
 	/* Get the associated remote device for channel. */
 	rvdev = metal_container_of(rdev, struct rpmsg_virtio_device, rdev);
 
+	if ((data < ((struct metal_io_region *)rvdev->rvq->shm_io)->virt +
+	    sizeof(struct rpmsg_hdr)) ||
+	    ((data + len) > (((struct metal_io_region *)rvdev->rvq->shm_io)->virt +
+	    ((struct metal_io_region *)rvdev->rvq->shm_io)->size)))
+		return RPMSG_ERR_PARAM;
+
 	hdr = RPMSG_LOCATE_HDR(data);
 	/* The reserved field contains buffer index */
 	idx = hdr->reserved;