-
On Arm32, after cleaning and invalidating the last dcache line of the top domheap page i.e. VA = 0xfffff000 (as a result of flushing the page to RAM), we end up adding the value of a dcache line size to the pointer once again, which results in a pointer arithmetic overflow (with 64B line size, operation 0xffffffc0 + 0x40 overflows to 0x0). Such behavior is undefined and given the wide range of compiler versions we support, it is difficult to determine what could happen in such scenario. Modify clean_and_invalidate_dcache_va_range() as well as clean_dcache_va_range() and invalidate_dcache_va_range() due to similarity of handling to prevent pointer arithmetic overflow. Modify the loops to use an additional variable to store the index of the next cacheline. Add an assert to prevent passing a region that wraps around which is illegal and would end up in a page fault anyway (region 0-2MB is unmapped). Lastly, return early if size passed is 0. Note that on Arm64, we don't have this problem given that the max VA space we support is 48-bits. This is XSA-447 / CVE-2023-46837. Signed-off-by:
Michal Orzel <michal.orzel@amd.com> Reviewed-by:
Julien Grall <jgrall@amazon.com>
190b7f49
