core: add VA overflow check in shdr_alloc_and_copy()

Make sure that no address overflow can occur when shdr_alloc_and_copy() copies the signed header. Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org> Reported-by: Bastien Simondi <bsimondi@netflix.com> [2.4] Reviewed-by: Joakim Bech <joakim.bech@linaro.org>
OP-TEE · Feb 25, 2019 · 062765e · 062765e
1 parent 8ad7af5
commit 062765e
Showing 1 changed file with 6 additions and 0 deletions.
diff --git a/core/crypto/signed_hdr.c b/core/crypto/signed_hdr.c
@@ -11,11 +11,14 @@
 #include <tee_api_types.h>
 #include <tee/tee_cryp_utl.h>
 #include <utee_defines.h>
+#include <util.h>
 
 struct shdr *shdr_alloc_and_copy(const struct shdr *img, size_t img_size)
 {
 	size_t shdr_size;
 	struct shdr *shdr;
+	vaddr_t img_va = (vaddr_t)img;
+	vaddr_t tmp = 0;
 
 	if (img_size < sizeof(struct shdr))
 		return NULL;
@@ -24,6 +27,9 @@ struct shdr *shdr_alloc_and_copy(const struct shdr *img, size_t img_size)
 	if (img_size < shdr_size)
 		return NULL;
 
+	if (ADD_OVERFLOW(img_va, shdr_size, &tmp))
+		return NULL;
+
 	shdr = malloc(shdr_size);
 	if (!shdr)
 		return NULL;