Permalink
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Browse files
Browse the repository at this point in the history
core: tee_entry: fix array out of bounds check in cleanup_shm_refs()
cleanup_shm_refs() can be called with num_params larger than what has been used by copy_in_params(). If num_params is larger than TEE_NUM_PARAMS copy_in_params() will return an error and cleanup_shm_refs() is called to clean up. This leads to accessing uint64_t saved_attr[TEE_NUM_PARAMS] in entry_invoke_command() or entry_open_session() out of bounds and possibly also the u[TEE_NUM_PARAMS] array in struct tee_ta_param. So fix this by capping num_params TEE_NUM_PARAMS in cleanup_shm_refs(). Fixes: b05cd88 ("core: enable non-contiguous temporary reference parameters") Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org> Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
- Loading branch information