Searched hist:e1509d6e6178011df581c535ee8bf8c147053df2 (Results 1 – 1 of 1) sorted by relevance
| /optee_os/core/kernel/ |
| H A D | msg_param.c | e1509d6e6178011df581c535ee8bf8c147053df2 Tue Jan 29 14:19:40 UTC 2019 Jerome Forissier <jerome.forissier@linaro.org> core: check for overflow in msg_param_mobj_from_noncontig()
msg_param_mobj_from_noncontig() does not check that buf_ptr + size does
not overflow. As a result, num_pages could be computed small, while
size could be big. Only num_pages will be mapped/registered in the
returned mobj. If the caller does not compare mobj->size with required
size, it can end up manipulating memory out of the intended region.
Fix the issue by using overflow checking macros.
Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reported-by: Bastien Simondi <bsimondi@netflix.com> [1.2]
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Joakim Bech <joakim.bech@linaro.org>
|