Searched hist:"728616 b28df659cf0bdde6e58a471f6ef25d023c" (Results 1 – 1 of 1) sorted by relevance
| /optee_os/core/tee/ |
| H A D | entry_std.c | 728616b28df659cf0bdde6e58a471f6ef25d023c Wed Aug 31 09:10:58 UTC 2022 Jens Wiklander <jens.wiklander@linaro.org> core: tee_entry: fix array out of bounds check in cleanup_shm_refs()
cleanup_shm_refs() can be called with num_params larger than what has
been used by copy_in_params(). If num_params is larger than
TEE_NUM_PARAMS copy_in_params() will return an error and
cleanup_shm_refs() is called to clean up.
This leads to accessing uint64_t saved_attr[TEE_NUM_PARAMS] in
entry_invoke_command() or entry_open_session() out of bounds and
possibly also the u[TEE_NUM_PARAMS] array in struct tee_ta_param.
So fix this by capping num_params TEE_NUM_PARAMS in cleanup_shm_refs().
Fixes: b05cd886e06d ("core: enable non-contiguous temporary reference parameters")
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
|