Searched hist:"54 ebc3ac7ca69198048e77572eb484056bb49b90" (Results 1 – 1 of 1) sorted by relevance
| /optee_os/core/tee/ |
| H A D | tee_svc_cryp.c | 54ebc3ac7ca69198048e77572eb484056bb49b90 Thu Sep 27 08:42:40 UTC 2018 Joakim Bech <joakim.bech@linaro.org> svc: avoid TOCTOU issue in syscall_hash_final
When checking that the supplied buffer is big enough to fit the computed
digest one should use the local copy 'hlen' instead of 'hash_len' to
prevent that a malicious attacker in REE have changed the size of
'hash_len' after it has been copied to the local buffer.
(TOCTOU: Time Of Check To Time of Use)
Fixes: "Double-fetch of length in syscall_hash_final (x2)" as reported
by Riscure.
Signed-off-by: Joakim Bech <joakim.bech@linaro.org>
Tested-by: Joakim Bech <joakim.bech@linaro.org> (QEMU v7, v8)
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reported-by: Riscure <inforequest@riscure.com>
Reported-by: Alyssa Milburn <a.a.milburn@vu.nl>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
|