Djam/arm-trusted-firmware
1
0
Fork 0
mirror of https://github.com/ARM-software/arm-trusted-firmware.git synced 2025-04-16 09:34:18 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

refactor(el3-spmc): crash instead of reading OOB

Browse source 
If it is called on an invalid mtd, out-of-bounds memory reads are
likely.  Checks elsewhere in the code ensure that the mtd has been
validated before calling this function.

Change-Id: If598680a5b79e1786a6e0a213779ec80cbf37494
Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com>
This commit is contained in:
Demi Marie Obenour 2023-01-12 13:25:23 -05:00
parent 2d4da8e265
commit 9526282a7d
1 changed files with 10 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

14
services/std_svc/spm/el3_spmc/spmc_shared_mem.c
View file

@ -788,11 +788,17 @@ static int spmc_shmem_check_obj(struct spmc_shmem_obj *obj,
uint32_t ffa_version)
{
uint32_t comp_mrd_offset = 0;
if (obj->desc_filled != obj->desc_size) {
ERROR("BUG: %s called on incomplete object (%zu != %zu)\n",
__func__, obj->desc_filled, obj->desc_size);
panic();
}
if (obj->desc.emad_count == 0U) {
WARN("%s: unsupported attribute desc count %u.\n",
__func__, obj->desc.emad_count);
return -EINVAL;
if (spmc_validate_mtd_start(&obj->desc, ffa_version,
obj->desc_filled, obj->desc_size)) {
ERROR("BUG: %s called on object with corrupt memory region descriptor\n",
__func__);
panic();
}
for (size_t emad_num = 0; emad_num < obj->desc.emad_count; emad_num++) {