commit a89a0a09a47a5995b7ce5aa4b27d565b605285cc
author J-Alves <joao.alves@arm.com> Mon Mar 17 11:18:20 2025 +0000
committer Joao Alves <joao.alves@arm.com> Fri Mar 28 15:21:34 2025 +0100
tree 447908ba7fc4be335079198d7b359d3569e00f09
parent 217e1a2e6b16c746de4ecbea4a80af7659dd2cae

fix: out-of-bounds access

Iterating on the interrupts descriptors assigned
to a VM must depend on VM_MANIFEST_MAX_INTERRUPTS,
rather than HF_NUM_INTIDS.

Signed-off-by: J-Alves <joao.alves@arm.com>
Change-Id: Ifeb8526ea7e9a8f90f119e1c6cb0f4b862e6f44e

src/ffa/spmc/interrupts.c

diff --git a/src/ffa/spmc/interrupts.c b/src/ffa/spmc/interrupts.c
index 755dcb4..d3a77d4 100644
--- a/src/ffa/spmc/interrupts.c
+++ b/src/ffa/spmc/interrupts.c
@@ -44,7 +44,7 @@
 	for (ffa_vm_count_t index = 0; index < vm_get_count(); ++index) {
 		struct vm *vm = vm_find_index(index);
 
-		for (uint32_t j = 0; j < HF_NUM_INTIDS; j++) {
+		for (uint32_t j = 0; j < VM_MANIFEST_MAX_INTERRUPTS; j++) {
 			struct interrupt_descriptor int_desc =
 				vm->interrupt_desc[j];
 

src/ffa/spmc/vm.c

diff --git a/src/ffa/spmc/vm.c b/src/ffa/spmc/vm.c
index 5a8de6a..876b636 100644
--- a/src/ffa/spmc/vm.c
+++ b/src/ffa/spmc/vm.c
@@ -221,7 +221,7 @@
 	dlog_verbose("Interrupts belonging to SP %x disabled\n",
 		     vm_locked.vm->id);
 
-	for (uint32_t i = 0; i < HF_NUM_INTIDS; i++) {
+	for (uint32_t i = 0; i < VM_MANIFEST_MAX_INTERRUPTS; i++) {
 		struct interrupt_descriptor int_desc;
 
 		int_desc = vm_locked.vm->interrupt_desc[i];

src/vm.c

diff --git a/src/vm.c b/src/vm.c
index 4a76529..dcf7eb3 100644
--- a/src/vm.c
+++ b/src/vm.c
@@ -1089,7 +1089,7 @@
 static struct interrupt_descriptor *vm_find_interrupt_descriptor(
 	struct vm_locked vm_locked, uint32_t id)
 {
-	for (uint32_t i = 0; i < HF_NUM_INTIDS; i++) {
+	for (uint32_t i = 0; i < VM_MANIFEST_MAX_INTERRUPTS; i++) {
 		/* Interrupt descriptors are populated contiguously. */
 		if (!vm_locked.vm->interrupt_desc[i].valid) {
 			break;