feat(indirect message): use 'memcpy_trapped'
This is using the `memcpy_trapped` function added in previous
patches, to access the RXTX buffers in the handling of
`FFA_MSG_SEND2` interface.
This is to mitigate the chance of the PAS of:
- RX buffer of a receiver VM being in the realm PAS.
- TX buffer of a sender VM being in the realm PAS.
In both cases the interface should terminate smoothly with
FFA_ABORTED.
Signed-off-by: J-Alves <joao.alves@arm.com>
Change-Id: I23baa52238e1b21cecd60ef877847970aebc43ff
diff --git a/src/api.c b/src/api.c
index 376d6ea..001c8c9 100644
--- a/src/api.c
+++ b/src/api.c
@@ -2012,7 +2012,16 @@
* unsafe memory which could be 'corrupted' between safety checks and
* final buffer copy.
*/
- memcpy_s(&header, FFA_RXTX_HEADER_SIZE, from_msg, FFA_RXTX_HEADER_SIZE);
+ if (!memcpy_trapped(&header, FFA_RXTX_HEADER_SIZE, from_msg,
+ FFA_RXTX_HEADER_SIZE)) {
+ dlog_error(
+ "%s: Failed to copy message from sender's(%x) TX "
+ "buffer.\n",
+ __func__, sender_locked.vm->id);
+ ret = ffa_error(FFA_ABORTED);
+ goto out_unlock_sender;
+ }
+
sender_id = ffa_rxtx_header_sender(&header);
receiver_id = ffa_rxtx_header_receiver(&header);
@@ -2100,7 +2109,16 @@
}
/* Copy data. */
- memcpy_s(to->mailbox.recv, FFA_MSG_PAYLOAD_MAX, from_msg, msg_size);
+ if (!memcpy_trapped(to->mailbox.recv, FFA_MSG_PAYLOAD_MAX, from_msg,
+ msg_size)) {
+ dlog_error(
+ "%s: Failed to copy message to receiver's(%x) RX "
+ "buffer.\n",
+ __func__, to->id);
+ ret = ffa_error(FFA_ABORTED);
+ goto out;
+ }
+
to->mailbox.recv_size = msg_size;
to->mailbox.recv_sender = sender_id;
to->mailbox.recv_func = FFA_MSG_SEND2_32;