commit 9aaf98becaf2de08f63ec7621272765c42ac2c8d
author Arve Hjønnevåg <arve@android.com> Mon Jun 28 18:34:06 2021 -0700
committer Arve Hjønnevåg <arve@android.com> Tue Jun 29 17:00:10 2021 -0700
tree a5e7724e4562e547481391c9d464d6f78bf6e467
parent ff23e51fcc077be66eb9ce9ae63d5baee3761fa3

trusty: Fix trusty_ffa_fill_desc return path

The "Add check that ffa buffer has been registered" patch added an early
return path to trusty_ffa_fill_desc, but did not destroy the incomplete
object like the other error paths do. Fix this.

Also destroy the object on invalid requests that would try fill past the
object size, and prevent any invalid request from destroying an already
completed objecti (for SMC_FC_FFA_MEM_FRAG_TX).

Bug: 185886292
Change-Id: I506a4f43ea6c8466478b94537140964a463310de

services/spd/trusty/shared-mem-smcall.c

diff --git a/services/spd/trusty/shared-mem-smcall.c b/services/spd/trusty/shared-mem-smcall.c
index ba60b74..99fddb9 100644
--- a/services/spd/trusty/shared-mem-smcall.c
+++ b/services/spd/trusty/shared-mem-smcall.c
@@ -280,7 +280,8 @@
 
 	if (!client->buf_size) {
 		NOTICE("%s: buffer pair not registered\n", __func__);
-		return -EINVAL;
+		ret = -EINVAL;
+		goto err_arg;
 	}
 
 	if (fragment_length > client->buf_size) {
@@ -293,7 +294,8 @@
 	if (fragment_length > obj->desc_size - obj->desc_filled) {
 		NOTICE("%s: bad fragment size %u > %zu remaining\n", __func__,
 		       fragment_length, obj->desc_size - obj->desc_filled);
-		return -EINVAL;
+		ret = -EINVAL;
+		goto err_arg;
 	}
 
 	memcpy((uint8_t *)&obj->desc + obj->desc_filled, client->tx_buf,
@@ -418,6 +420,12 @@
 		return -ENOENT;
 	}
 
+	if (obj->desc_filled == obj->desc_size) {
+		NOTICE("%s: object desc already filled, %zu\n", __func__,
+		       obj->desc_filled);
+		return -EINVAL;
+	}
+
 	return trusty_ffa_fill_desc(client, obj, fragment_length, smc_handle);
 }