Djam/arm-trusted-firmware
1
0
Fork 0
mirror of https://github.com/ARM-software/arm-trusted-firmware.git synced 2025-04-18 02:24:18 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

fix(el3-spmc): fix dangling pointer in FFA_CONSOLE_LOG

Browse source 
Fixes a dangling pointer bug in `spmc_ffa_console_log`.
`chars` was assigned to an array which went out of scope at the end of
the `if`/`else` block.

The solution is to `memcmpy` from the temporary array into `chars`,
which is now an array.

Signed-off-by: Karl Meakin <karl.meakin@arm.com>
Change-Id: I67d19ea25d09b72f38fcc67dab4acf449aa8f1b1
This commit is contained in:
Karl Meakin 2024-01-22 17:03:02 +00:00
parent eb88986558
commit 83129bcd8e
1 changed files with 18 additions and 21 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

39
services/std_svc/spm/el3_spmc/spmc_main.c
View file

@ -1489,7 +1489,8 @@ static uint64_t spmc_ffa_console_log(uint32_t smc_fid,
void *handle,
uint64_t flags)
{
char *chars;
/* Maximum number of characters is 48: 6 registers of 8 bytes each. */
char chars[48] = {0};
size_t chars_max;
size_t chars_count = x1;
@ -1500,27 +1501,23 @@ static uint64_t spmc_ffa_console_log(uint32_t smc_fid,
assert(smc_fid == FFA_CONSOLE_LOG_SMC32 || smc_fid == FFA_CONSOLE_LOG_SMC64);
if (smc_fid == FFA_CONSOLE_LOG_SMC32) {
uint32_t registers[] = {
(uint32_t)x2,
(uint32_t)x3,
(uint32_t)x4,
(uint32_t)SMC_GET_GP(handle, CTX_GPREG_X5),
(uint32_t)SMC_GET_GP(handle, CTX_GPREG_X6),
(uint32_t)SMC_GET_GP(handle, CTX_GPREG_X7),
};
chars_max = ARRAY_SIZE(registers) * sizeof(uint32_t);
chars = (char *)registers;
uint32_t *registers = (uint32_t *)chars;
registers[0] = (uint32_t)x2;
registers[1] = (uint32_t)x3;
registers[2] = (uint32_t)x4;
registers[3] = (uint32_t)SMC_GET_GP(handle, CTX_GPREG_X5);
registers[4] = (uint32_t)SMC_GET_GP(handle, CTX_GPREG_X6);
registers[5] = (uint32_t)SMC_GET_GP(handle, CTX_GPREG_X7);
chars_max = 6 * sizeof(uint32_t);
} else {
uint64_t registers[] = {
x2,
x3,
x4,
SMC_GET_GP(handle, CTX_GPREG_X5),
SMC_GET_GP(handle, CTX_GPREG_X6),
SMC_GET_GP(handle, CTX_GPREG_X7),
};
chars_max = ARRAY_SIZE(registers) * sizeof(uint64_t);
chars = (char *)registers;
uint64_t *registers = (uint64_t *)chars;
registers[0] = x2;
registers[1] = x3;
registers[2] = x4;
registers[3] = SMC_GET_GP(handle, CTX_GPREG_X5);
registers[4] = SMC_GET_GP(handle, CTX_GPREG_X6);
registers[5] = SMC_GET_GP(handle, CTX_GPREG_X7);
chars_max = 6 * sizeof(uint64_t);
}
if ((chars_count == 0) || (chars_count > chars_max)) {