From a30441c0063c01c0dcc1640cb0fef1cfbb7bb815 Mon Sep 17 00:00:00 2001
From: Tammy Leino <tammy_leino@mentor.com>
Date: Tue, 4 Oct 2022 07:53:06 -0700
Subject: [PATCH] Application-supplied buffer addresses not checked for
 validity

Code must check for valid buffer address to avoid potential corruption
Signed-off-by: Tammy Leino <tammy_leino@mentor.com>
---
 lib/rpmsg/rpmsg_virtio.c | 16 +++++++++++++++-
 1 file changed, 15 insertions(+), 1 deletion(-)

diff --git a/lib/rpmsg/rpmsg_virtio.c b/lib/rpmsg/rpmsg_virtio.c
index cd08f40b7..d55dc37b1 100644
--- a/lib/rpmsg/rpmsg_virtio.c
+++ b/lib/rpmsg/rpmsg_virtio.c
@@ -288,9 +288,14 @@ static int _rpmsg_virtio_get_buffer_size(struct rpmsg_virtio_device *rvdev)
 
 static void rpmsg_virtio_hold_rx_buffer(struct rpmsg_device *rdev, void *rxbuf)
 {
+	struct rpmsg_virtio_device *rvdev;
 	struct rpmsg_hdr *rp_hdr;
 
-	(void)rdev;
+	rvdev = metal_container_of(rdev, struct rpmsg_virtio_device, rdev);
+
+	if (!metal_io_is_block_valid(rvdev->rvq->shm_io, sizeof(struct rpmsg_hdr),
+				     rxbuf, 0))
+		return;
 
 	rp_hdr = RPMSG_LOCATE_HDR(rxbuf);
 
@@ -307,6 +312,11 @@ static void rpmsg_virtio_release_rx_buffer(struct rpmsg_device *rdev,
 	uint32_t len;
 
 	rvdev = metal_container_of(rdev, struct rpmsg_virtio_device, rdev);
+
+	if (!metal_io_is_block_valid(rvdev->rvq->shm_io, sizeof(struct rpmsg_hdr),
+				     rxbuf, 0))
+		return;
+
 	rp_hdr = RPMSG_LOCATE_HDR(rxbuf);
 	/* The reserved field contains buffer index */
 	idx = (uint16_t)(rp_hdr->reserved & ~RPMSG_BUF_HELD);
@@ -377,6 +387,10 @@ static int rpmsg_virtio_send_offchannel_nocopy(struct rpmsg_device *rdev,
 	/* Get the associated remote device for channel. */
 	rvdev = metal_container_of(rdev, struct rpmsg_virtio_device, rdev);
 
+	if (!metal_io_is_block_valid(rvdev->rvq->shm_io, sizeof(struct rpmsg_hdr),
+				     data, len))
+		return RPMSG_ERR_PARAM;
+
 	hdr = RPMSG_LOCATE_HDR(data);
 	/* The reserved field contains buffer index */
 	idx = hdr->reserved;