On Sun, 2020-08-02 at 23:21 +0800, Jia-Ju Bai wrote: > Because "fs" is mapped to DMA, its data can be modified at anytime by > malicious or malfunctioning hardware. In this case, the check > "if (fsc->command >= cmdcnt)" can be passed, and then "fsc->command" > can be modified by hardware to cause buffer overflow. This threat model seems to be completely bogus. If the device were malicious it would have given the mailbox incorrect values a priori ... it wouldn't give the correct value then update it. For most systems we do assume correct operation of the device but if there's a worry about incorrect operation, the usual approach is to guard the device with an IOMMU which, again, would make this sort of fix unnecessary because the IOMMU will have removed access to the buffer after the command completed. James
