libmetal: Buffer overflow in metal_sys_io_mem_map() #323

iuliana-prodan · 2025-02-05T13:46:28Z

In void metal_sys_io_mem_map(struct metal_io_region *io) ([1] and [2]) if the I/O region size is a multiple of 1<<page_shift will result in a buffer overflow here, in the for loop:

for (p = 0; p <= (io->size >> io->page_shift); p++) {
	metal_machine_io_mem_map(va, io->physmap[p],
				 psize, io->mem_flags);
	va += psize;
}

The solution is:

diff --git a/libmetal/lib/system/freertos/io.c b/libmetal/lib/system/freertos/io.c
index 319322c..dde8242 100644
--- a/libmetal/lib/system/freertos/io.c
+++ b/libmetal/lib/system/freertos/io.c
@@ -22,7 +22,7 @@ void metal_sys_io_mem_map(struct metal_io_region *io)
        if (psize) {
                if (psize >> io->page_shift)
                        psize = (size_t)1 << io->page_shift;
-               for (p = 0; p <= (io->size >> io->page_shift); p++) {
+               for (p = 0; p <= ((io->size -1) >> io->page_shift); p++) {
                        metal_machine_io_mem_map(va, io->physmap[p],
                                                 psize, io->mem_flags);
                        va += psize;
diff --git a/libmetal/lib/system/generic/io.c b/libmetal/lib/system/generic/io.c
index 966bfc5..ac36f09 100644
--- a/libmetal/lib/system/generic/io.c
+++ b/libmetal/lib/system/generic/io.c
@@ -22,7 +22,7 @@ void metal_sys_io_mem_map(struct metal_io_region *io)
        if (psize) {
                if (psize >> io->page_shift)
                        psize = (size_t)1 << io->page_shift;
-               for (p = 0; p <= (io->size >> io->page_shift); p++) {
+               for (p = 0; p <= ((io->size -1) >> io->page_shift); p++) {
                        metal_machine_io_mem_map(va, io->physmap[p],
                                                 psize, io->mem_flags);
                        va += psize;

[1] https://github.com/OpenAMP/libmetal/blob/main/lib/system/freertos/io.c#L14
[2] https://github.com/OpenAMP/libmetal/blob/main/lib/system/generic/io.c#L14

The text was updated successfully, but these errors were encountered:

arnopo · 2025-02-05T17:46:59Z

Seems to me correct, don't hesitate to directly send a PR to propose the solution

iuliana-prodan · 2025-02-11T00:29:49Z

Seems to me correct, don't hesitate to directly send a PR to propose the solution

Fix sent for review: #324

arnopo linked a pull request Feb 12, 2025 that will close this issue

io: fix buffer overflow in metal_sys_io_mem_map() #324

Merged

arnopo closed this as completed in #324 Feb 14, 2025

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

libmetal: Buffer overflow in metal_sys_io_mem_map() #323

libmetal: Buffer overflow in metal_sys_io_mem_map() #323

iuliana-prodan commented Feb 5, 2025

arnopo commented Feb 5, 2025

iuliana-prodan commented Feb 11, 2025

libmetal: Buffer overflow in metal_sys_io_mem_map() #323

libmetal: Buffer overflow in metal_sys_io_mem_map() #323

Comments

iuliana-prodan commented Feb 5, 2025

arnopo commented Feb 5, 2025

iuliana-prodan commented Feb 11, 2025