All of lore.kernel.org
 help / color / mirror / Atom feed
From: Armin Wolf <W_Armin@gmx.de>
To: Shyam-sundar.S-k@amd.com
Cc: hdegoede@redhat.com, ilpo.jarvinen@linux.intel.com,
	platform-driver-x86@vger.kernel.org,
	linux-kernel@vger.kernel.org
Subject: [PATCH v2 2/2] platform/x86/amd/pmf: Fix possible out-of-bound memory accesses
Date: Tue, 27 Feb 2024 15:55:00 +0100	[thread overview]
Message-ID: <20240227145500.299683-2-W_Armin@gmx.de> (raw)
In-Reply-To: <20240227145500.299683-1-W_Armin@gmx.de>

The length of the policy buffer is not validated before accessing it,
which means that multiple out-of-bounds memory accesses can occur.

This is especially bad since userspace can load policy binaries over
debugfs.

Compile-tested only.

Signed-off-by: Armin Wolf <W_Armin@gmx.de>
---
Changes since v1:
- check if the policy buffer also has enough room for storing the length
---
 drivers/platform/x86/amd/pmf/tee-if.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/drivers/platform/x86/amd/pmf/tee-if.c b/drivers/platform/x86/amd/pmf/tee-if.c
index b3491268b6a0..09e3c620a9c7 100644
--- a/drivers/platform/x86/amd/pmf/tee-if.c
+++ b/drivers/platform/x86/amd/pmf/tee-if.c
@@ -249,12 +249,18 @@ static int amd_pmf_start_policy_engine(struct amd_pmf_dev *dev)
 	u32 cookie, length;
 	int res;

+	if (dev->policy_sz < POLICY_COOKIE_LEN + sizeof(length))
+		return -EINVAL;
+
 	cookie = *(u32 *)(dev->policy_buf + POLICY_COOKIE_OFFSET);
 	length = *(u32 *)(dev->policy_buf + POLICY_COOKIE_LEN);

 	if (cookie != POLICY_SIGN_COOKIE || !length)
 		return -EINVAL;

+	if (dev->policy_sz < length + 512)
+		return -EINVAL;
+
 	/* Update the actual length */
 	dev->policy_sz = length + 512;
 	res = amd_pmf_invoke_cmd_init(dev);
--
2.39.2


  reply	other threads:[~2024-02-27 14:55 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2024-02-27 14:54 [PATCH v2 1/2] platform/x86/amd/pmf: Do not use readl() for policy buffer access Armin Wolf
2024-02-27 14:55 ` Armin Wolf [this message]
2024-02-27 15:45   ` [PATCH v2 2/2] platform/x86/amd/pmf: Fix possible out-of-bound memory accesses Ilpo Järvinen
2024-02-28 11:16     ` Shyam Sundar S K
2024-02-28 20:48       ` Armin Wolf
2024-02-29 12:05         ` Ilpo Järvinen

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20240227145500.299683-2-W_Armin@gmx.de \
    --to=w_armin@gmx.de \
    --cc=Shyam-sundar.S-k@amd.com \
    --cc=hdegoede@redhat.com \
    --cc=ilpo.jarvinen@linux.intel.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=platform-driver-x86@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.