Skip to content
Permalink
Browse files

core: add VA overflow check in shdr_alloc_and_copy()

Make sure that no address overflow can occur when shdr_alloc_and_copy()
copies the signed header.

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reported-by: Bastien Simondi <bsimondi@netflix.com> [2.4]
Reviewed-by: Joakim Bech <joakim.bech@linaro.org>
  • Loading branch information...
jforissier committed Feb 5, 2019
1 parent 8ad7af5 commit 062765e4f80b97c90fd62d17859b675797af5de9
Showing with 6 additions and 0 deletions.
  1. +6 −0 core/crypto/signed_hdr.c
@@ -11,11 +11,14 @@
#include <tee_api_types.h>
#include <tee/tee_cryp_utl.h>
#include <utee_defines.h>
#include <util.h>

struct shdr *shdr_alloc_and_copy(const struct shdr *img, size_t img_size)
{
size_t shdr_size;
struct shdr *shdr;
vaddr_t img_va = (vaddr_t)img;
vaddr_t tmp = 0;

if (img_size < sizeof(struct shdr))
return NULL;
@@ -24,6 +27,9 @@ struct shdr *shdr_alloc_and_copy(const struct shdr *img, size_t img_size)
if (img_size < shdr_size)
return NULL;

if (ADD_OVERFLOW(img_va, shdr_size, &tmp))
return NULL;

shdr = malloc(shdr_size);
if (!shdr)
return NULL;

0 comments on commit 062765e

Please sign in to comment.
You can’t perform that action at this time.