Skip to content
Permalink
Browse files Browse the repository at this point in the history
core: tee_entry: fix array out of bounds check in cleanup_shm_refs()
cleanup_shm_refs() can be called with num_params larger than what has
been used by copy_in_params(). If num_params is larger than
TEE_NUM_PARAMS copy_in_params() will return an error and
cleanup_shm_refs() is called to clean up.

This leads to accessing uint64_t saved_attr[TEE_NUM_PARAMS] in
entry_invoke_command() or entry_open_session() out of bounds and
possibly also the u[TEE_NUM_PARAMS] array in struct tee_ta_param.

So fix this by capping num_params TEE_NUM_PARAMS in cleanup_shm_refs().

Fixes: b05cd88 ("core: enable non-contiguous temporary reference parameters")
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
  • Loading branch information
jenswi-linaro authored and jforissier committed Oct 6, 2022
1 parent 03e0743 commit 728616b
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion core/tee/entry_std.c
Expand Up @@ -254,7 +254,7 @@ static void cleanup_shm_refs(const uint64_t *saved_attr,
{
size_t n;

for (n = 0; n < num_params; n++) {
for (n = 0; n < MIN((unsigned int)TEE_NUM_PARAMS, num_params); n++) {
switch (saved_attr[n]) {
case OPTEE_MSG_ATTR_TYPE_TMEM_INPUT:
case OPTEE_MSG_ATTR_TYPE_TMEM_OUTPUT:
Expand Down

0 comments on commit 728616b

Please sign in to comment.