Skip to content
Permalink
Browse files

core: RPMB FS: check for potential overflows

This commit deals with a number of potential integer overflows in the
RPMB FS code.

rpmb_fs_init() requests device information from the REE. The RPMB size
is returned in struct rpmb_dev_info (field rpmb_size_mult) and is used
in a multiplication that could overflow. Use MUL_OVERFLOW() to deal with
this case.

Some overflow checks are also added in the read and write paths.

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reported-by: Bastien Simondi <bsimondi@netflix.com> [2.12]
Reviewed-by: Joakim Bech <joakim.bech@linaro.org>
  • Loading branch information...
jforissier committed Feb 6, 2019
1 parent 06aa9a9 commit ea81076f7896de7278dcd62b47b99d5dc3351caf
Showing with 19 additions and 4 deletions.
  1. +19 −4 core/tee/tee_rpmb_fs.c
@@ -1117,8 +1117,13 @@ static TEE_Result tee_rpmb_init(uint16_t dev_id)
goto func_exit;
}

rpmb_ctx->max_blk_idx = (dev_info.rpmb_size_mult *
RPMB_SIZE_SINGLE / RPMB_DATA_SIZE) - 1;
if (MUL_OVERFLOW(dev_info.rpmb_size_mult,
RPMB_SIZE_SINGLE / RPMB_DATA_SIZE,
&rpmb_ctx->max_blk_idx)) {
res = TEE_ERROR_BAD_PARAMETERS;
goto func_exit;
}
rpmb_ctx->max_blk_idx--;

memcpy(rpmb_ctx->cid, dev_info.cid, RPMB_EMMC_CID_SIZE);

@@ -1192,6 +1197,10 @@ static TEE_Result tee_rpmb_read(uint16_t dev_id, uint32_t addr, uint8_t *data,
blk_idx = addr / RPMB_DATA_SIZE;
byte_offset = addr % RPMB_DATA_SIZE;

if (len + byte_offset + RPMB_DATA_SIZE < RPMB_DATA_SIZE) {
/* Overflow */
return TEE_ERROR_BAD_PARAMETERS;
}
blkcnt =
ROUNDUP(len + byte_offset, RPMB_DATA_SIZE) / RPMB_DATA_SIZE;
res = tee_rpmb_init(dev_id);
@@ -2049,8 +2058,14 @@ static TEE_Result rpmb_fs_write_primitive(struct rpmb_file_handle *fh,
if (fh->fat_entry.flags & FILE_IS_LAST_ENTRY)
panic("invalid last entry flag");

end = pos + size;
start_addr = fh->fat_entry.start_address + pos;
if (ADD_OVERFLOW(pos, size, &end)) {
res = TEE_ERROR_BAD_PARAMETERS;
goto out;
}
if (ADD_OVERFLOW(fh->fat_entry.start_address, pos, &start_addr)) {
res = TEE_ERROR_BAD_PARAMETERS;
goto out;
}

if (end <= fh->fat_entry.data_size &&
tee_rpmb_write_is_atomic(CFG_RPMB_FS_DEV_ID, start_addr, size)) {

0 comments on commit ea81076

Please sign in to comment.
You can’t perform that action at this time.