mirror of
https://github.com/ARM-software/arm-trusted-firmware.git
synced 2025-04-17 10:04:26 +00:00
fix(intel): update memcpy to memcpy_s
memcpy does not check the dst_size which may create vulnerable issue as it can overflow the buffer. Using memcpy_s which check the dst_size will help to reduce the risk. Also, this memcpy is always 4 bytes each time. Signed-off-by: Jit Loon Lim <jit.loon.lim@intel.com> Signed-off-by: Sieu Mun Tang <sieu.mun.tang@intel.com> Change-Id: I413e6ae2ee9330501703c4cd63b7943c6f55b4c7
This commit is contained in:
Sieu Mun Tang
parent
8fb91783ff
commit
e264b55739
6 changed files with 45 additions and 28 deletions
|
|
@ -1,5 +1,6 @@
|
|||
/*
|
||||
* Copyright (c) 2022-2023, Intel Corporation. All rights reserved.
|
||||
* Copyright (c) 2024, Altera Corporation. All rights reserved.
|
||||
*
|
||||
* SPDX-License-Identifier: BSD-3-Clause
|
||||
*/
|
||||
|
|
@ -19,6 +20,7 @@
|
|||
|
||||
#include "agilex5_pinmux.h"
|
||||
#include "sdmmc.h"
|
||||
#include "socfpga_mailbox.h"
|
||||
|
||||
static const struct mmc_ops *ops;
|
||||
static unsigned int mmc_ocr_value;
|
||||
|
|
@ -518,7 +520,8 @@ static int sdmmc_enumerate(unsigned int clk, unsigned int bus_width)
|
|||
return ret;
|
||||
}
|
||||
|
||||
memcpy(&mmc_csd, &resp_data, sizeof(resp_data));
|
||||
memcpy_s(&mmc_csd, sizeof(mmc_csd) / MBOX_WORD_BYTE,
|
||||
&resp_data, sizeof(resp_data) / MBOX_WORD_BYTE);
|
||||
|
||||
/* CMD7: Select Card */
|
||||
ret = sdmmc_send_cmd(MMC_CMD(7), rca << RCA_SHIFT_OFFSET,
|
||||
|
|
@ -758,7 +761,8 @@ int sdmmc_init(handoff *hoff_ptr, struct cdns_sdmmc_params *params, struct mmc_d
|
|||
(params->bus_width == MMC_BUS_WIDTH_4) ||
|
||||
(params->bus_width == MMC_BUS_WIDTH_8)));
|
||||
|
||||
memcpy(&cdns_params, params, sizeof(struct cdns_sdmmc_params));
|
||||
memcpy_s(&cdns_params, sizeof(struct cdns_sdmmc_params) / MBOX_WORD_BYTE,
|
||||
params, sizeof(struct cdns_sdmmc_params) / MBOX_WORD_BYTE);
|
||||
cdns_params.cdn_sdmmc_dev_type = info->mmc_dev_type;
|
||||
cdns_params.cdn_sdmmc_dev_mode = SD_DS;
|
||||
|
||||
|
|
|
|||
|
|
@ -1,5 +1,6 @@
|
|||
/*
|
||||
* Copyright (c) 2020-2022, Intel Corporation. All rights reserved.
|
||||
* Copyright (c) 2020-2023, Intel Corporation. All rights reserved.
|
||||
* Copyright (c) 2024, Altera Corporation. All rights reserved.
|
||||
*
|
||||
* SPDX-License-Identifier: BSD-3-Clause
|
||||
*/
|
||||
|
|
@ -1164,8 +1165,8 @@ int intel_fcs_mac_verify_update_finalize(uint32_t session_id,
|
|||
return INTEL_SIP_SMC_STATUS_REJECTED;
|
||||
}
|
||||
|
||||
memcpy((uint8_t *) &payload[i], (uint8_t *) mac_offset,
|
||||
src_size - data_size);
|
||||
memcpy_s(&payload[i], (src_size - data_size) / MBOX_WORD_BYTE,
|
||||
(void *) mac_offset, (src_size - data_size) / MBOX_WORD_BYTE);
|
||||
|
||||
i += (src_size - data_size) / MBOX_WORD_BYTE;
|
||||
}
|
||||
|
|
@ -1298,8 +1299,8 @@ int intel_fcs_mac_verify_smmu_update_finalize(uint32_t session_id,
|
|||
return INTEL_SIP_SMC_STATUS_REJECTED;
|
||||
}
|
||||
|
||||
memcpy((uint8_t *) &payload[i], (uint8_t *) mac_offset,
|
||||
src_size - data_size);
|
||||
memcpy_s(&payload[i], (src_size - data_size) / MBOX_WORD_BYTE,
|
||||
(void *) mac_offset, (src_size - data_size) / MBOX_WORD_BYTE);
|
||||
|
||||
memset((void *) dst_addr, 0, *dst_size);
|
||||
|
||||
|
|
@ -1401,8 +1402,8 @@ int intel_fcs_ecdsa_hash_sign_finalize(uint32_t session_id, uint32_t context_id,
|
|||
return INTEL_SIP_SMC_STATUS_REJECTED;
|
||||
}
|
||||
|
||||
memcpy((uint8_t *) &payload[i], (uint8_t *) hash_data_addr,
|
||||
src_size);
|
||||
memcpy_s(&payload[i], src_size / MBOX_WORD_BYTE,
|
||||
(void *) hash_data_addr, src_size / MBOX_WORD_BYTE);
|
||||
|
||||
i += src_size / MBOX_WORD_BYTE;
|
||||
|
||||
|
|
@ -1502,8 +1503,8 @@ int intel_fcs_ecdsa_hash_sig_verify_finalize(uint32_t session_id, uint32_t conte
|
|||
return INTEL_SIP_SMC_STATUS_REJECTED;
|
||||
}
|
||||
|
||||
memcpy((uint8_t *) &payload[i],
|
||||
(uint8_t *) hash_sig_pubkey_addr, src_size);
|
||||
memcpy_s(&payload[i], src_size / MBOX_WORD_BYTE,
|
||||
(void *) hash_sig_pubkey_addr, src_size / MBOX_WORD_BYTE);
|
||||
|
||||
i += (src_size / MBOX_WORD_BYTE);
|
||||
|
||||
|
|
@ -1839,8 +1840,8 @@ int intel_fcs_ecdsa_sha2_data_sig_verify_update_finalize(uint32_t session_id,
|
|||
return INTEL_SIP_SMC_STATUS_REJECTED;
|
||||
}
|
||||
|
||||
memcpy((uint8_t *) &payload[i], (uint8_t *) sig_pubkey_offset,
|
||||
src_size - data_size);
|
||||
memcpy_s(&payload[i], (src_size - data_size) / MBOX_WORD_BYTE,
|
||||
(void *) sig_pubkey_offset, (src_size - data_size) / MBOX_WORD_BYTE);
|
||||
|
||||
i += (src_size - data_size) / MBOX_WORD_BYTE;
|
||||
}
|
||||
|
|
@ -1971,8 +1972,8 @@ int intel_fcs_ecdsa_sha2_data_sig_verify_smmu_update_finalize(uint32_t session_i
|
|||
return INTEL_SIP_SMC_STATUS_REJECTED;
|
||||
}
|
||||
|
||||
memcpy((uint8_t *) &payload[i], (uint8_t *) sig_pubkey_offset,
|
||||
src_size - data_size);
|
||||
memcpy_s(&payload[i], (src_size - data_size) / MBOX_WORD_BYTE,
|
||||
(void *) sig_pubkey_offset, (src_size - data_size) / MBOX_WORD_BYTE);
|
||||
|
||||
memset((void *) dst_addr, 0, *dst_size);
|
||||
|
||||
|
|
@ -2145,7 +2146,8 @@ int intel_fcs_ecdh_request_finalize(uint32_t session_id, uint32_t context_id,
|
|||
return INTEL_SIP_SMC_STATUS_REJECTED;
|
||||
}
|
||||
|
||||
memcpy((uint8_t *) &payload[i], (uint8_t *) pubkey, src_size);
|
||||
memcpy_s(&payload[i], src_size / MBOX_WORD_BYTE,
|
||||
(void *) pubkey, src_size / MBOX_WORD_BYTE);
|
||||
i += src_size / MBOX_WORD_BYTE;
|
||||
|
||||
status = mailbox_send_cmd(MBOX_JOB_ID, MBOX_FCS_ECDH_REQUEST,
|
||||
|
|
@ -2223,8 +2225,8 @@ int intel_fcs_aes_crypt_init(uint32_t session_id, uint32_t context_id,
|
|||
fcs_aes_init_payload.param_size = param_size;
|
||||
fcs_aes_init_payload.key_id = key_id;
|
||||
|
||||
memcpy((uint8_t *) fcs_aes_init_payload.crypto_param,
|
||||
(uint8_t *) param_addr, param_size);
|
||||
memcpy_s(fcs_aes_init_payload.crypto_param, param_size / MBOX_WORD_BYTE,
|
||||
(void *) param_addr, param_size / MBOX_WORD_BYTE);
|
||||
|
||||
fcs_aes_init_payload.is_updated = 0;
|
||||
|
||||
|
|
@ -2304,9 +2306,10 @@ int intel_fcs_aes_crypt_update_finalize(uint32_t session_id,
|
|||
return INTEL_SIP_SMC_STATUS_REJECTED;
|
||||
}
|
||||
|
||||
memcpy((uint8_t *) &fcs_aes_crypt_payload[i],
|
||||
(uint8_t *) fcs_aes_init_payload.crypto_param,
|
||||
fcs_aes_init_payload.param_size);
|
||||
memcpy_s(&fcs_aes_crypt_payload[i],
|
||||
fcs_aes_init_payload.param_size / MBOX_WORD_BYTE,
|
||||
(void *) fcs_aes_init_payload.crypto_param,
|
||||
fcs_aes_init_payload.param_size / MBOX_WORD_BYTE);
|
||||
|
||||
i += fcs_aes_init_payload.param_size / MBOX_WORD_BYTE;
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1,5 +1,6 @@
|
|||
/*
|
||||
* Copyright (c) 2019-2023, Intel Corporation. All rights reserved.
|
||||
* Copyright (c) 2024, Altera Corporation. All rights reserved.
|
||||
*
|
||||
* SPDX-License-Identifier: BSD-3-Clause
|
||||
*/
|
||||
|
|
@ -15,15 +16,21 @@
|
|||
int socfpga_get_handoff(handoff *reverse_hoff_ptr)
|
||||
{
|
||||
int i;
|
||||
int j;
|
||||
uint32_t *buffer;
|
||||
handoff *handoff_ptr = (handoff *) PLAT_HANDOFF_OFFSET;
|
||||
uint32_t *handoff_ptr = (uint32_t *) PLAT_HANDOFF_OFFSET;
|
||||
uint32_t *reverse_hoff_ptr_dst = (uint32_t *) reverse_hoff_ptr;
|
||||
|
||||
if (sizeof(*handoff_ptr) > sizeof(handoff)) {
|
||||
return -EOVERFLOW;
|
||||
}
|
||||
|
||||
memcpy(reverse_hoff_ptr, handoff_ptr, sizeof(handoff));
|
||||
buffer = (uint32_t *)reverse_hoff_ptr;
|
||||
for (j = 0; j < sizeof(handoff) / 4; j++) {
|
||||
memcpy_s((void *) (reverse_hoff_ptr_dst + j), 1,
|
||||
(void *) (handoff_ptr + j), 1);
|
||||
}
|
||||
|
||||
buffer = (uint32_t *)reverse_hoff_ptr_dst;
|
||||
|
||||
/* convert big endian to little endian */
|
||||
for (i = 0; i < sizeof(handoff) / 4; i++)
|
||||
|
|
|
|||
|
|
@ -252,7 +252,7 @@ int mailbox_read_response_async(unsigned int *job_id, uint32_t *header,
|
|||
return MBOX_RET_ERROR;
|
||||
}
|
||||
|
||||
memcpy((uint8_t *) response,
|
||||
memcpy_s((uint8_t *) response, *resp_len * MBOX_WORD_BYTE,
|
||||
(uint8_t *) mailbox_resp_ctr.payload->data,
|
||||
*resp_len * MBOX_WORD_BYTE);
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1,6 +1,7 @@
|
|||
/*
|
||||
* Copyright (c) 2019-2023, ARM Limited and Contributors. All rights reserved.
|
||||
* Copyright (c) 2019-2023, Intel Corporation. All rights reserved.
|
||||
* Copyright (c) 2024, Altera Corporation. All rights reserved.
|
||||
*
|
||||
* SPDX-License-Identifier: BSD-3-Clause
|
||||
*/
|
||||
|
|
@ -183,8 +184,9 @@ static void __dead2 socfpga_system_reset(void)
|
|||
{
|
||||
uint32_t addr_buf[2];
|
||||
|
||||
memcpy(addr_buf, &intel_rsu_update_address,
|
||||
sizeof(intel_rsu_update_address));
|
||||
memcpy_s(addr_buf, sizeof(intel_rsu_update_address),
|
||||
&intel_rsu_update_address, sizeof(intel_rsu_update_address));
|
||||
|
||||
if (intel_rsu_update_address) {
|
||||
mailbox_rsu_update(addr_buf);
|
||||
} else {
|
||||
|
|
|
|||
|
|
@ -113,7 +113,8 @@ int socfpga_vab_authentication(void **p_image, size_t *p_size)
|
|||
|
||||
VERBOSE("mbox_data_addr = %lx mbox_data_sz = %d\n", mbox_data_addr, mbox_data_sz);
|
||||
|
||||
memcpy(mbox_relocate_data_addr, (uint8_t *)mbox_data_addr, mbox_data_sz * sizeof(uint32_t));
|
||||
memcpy_s(mbox_relocate_data_addr, mbox_data_sz * sizeof(uint32_t),
|
||||
(uint8_t *)mbox_data_addr, mbox_data_sz * sizeof(uint32_t));
|
||||
|
||||
*((unsigned int *)mbox_relocate_data_addr) = CCERT_CMD_TEST_PGM_MASK;
|
||||
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue