Searched hist:"49 a875007e93bf7b1042ba45dd9f6853ed1dd9b9" (Results 1 – 1 of 1) sorted by relevance
| /optee_os/core/kernel/ |
| H A D | ree_fs_ta.c | 49a875007e93bf7b1042ba45dd9f6853ed1dd9b9 Mon Jun 21 11:39:49 UTC 2021 Jens Wiklander <jens.wiklander@linaro.org> core: add more overflow checks in ree_fs_ta_open()
Adds more overflow checks in ree_fs_ta_open() and also checks that the
encrypted header (struct shdr_encrypted_ta) also fits in the size of the
TA binary.
The latter check is needed to guard against fabricated values in struct
shdr_encrypted_ta for iv_size and/or tag_size which could trick OP-TEE
to read beyond the end of the buffer where the TA was loaded.
Reading beyond the end of the TA buffer would normally result in a crash
or if there's a valid mappings just after just a failure to load the TA.
No unchecked code will be executed, but it may result in a secure world
crash.
So this commit will check that the iv_size and tag_size values can point
to a valid buffer before attempting to read and thus prevent a crash.
Reviewed-by: Jerome Forissier <jerome@forissier.org>
Reviewed-by: Ruchika Gupta <ruchika.gupta@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Reported-by: Patrik Lantz <Patrik.Lantz@axis.com>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
|