Kernel/linux-next
1
0
Fork 0
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git synced 2025-01-17 22:05:08 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

platform/x86/amd/pmf: Fix possible out-of-bound memory accesses

Browse Source 
The length of the policy buffer is not validated before accessing it,
which means that multiple out-of-bounds memory accesses can occur.

This is especially bad since userspace can load policy binaries over
debugfs.

Compile-tested only.

Fixes: 7c45534afa44 ("platform/x86/amd/pmf: Add support for PMF Policy Binary")
Signed-off-by: Armin Wolf <W_Armin@gmx.de>
Reviewed-by: Shyam Sundar S K <Shyam-sundar.S-k@amd.com>
Link: https://lore.kernel.org/r/20240304205005.10078-5-W_Armin@gmx.de
Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
This commit is contained in:
Armin Wolf 2024-03-04 21:50:05 +01:00 committed by Ilpo Järvinen
parent 9ced197640
commit 8c9be42172
No known key found for this signature in database
GPG Key ID: 59AC4F6153E5CE31
1 changed files with 6 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
drivers/platform/x86/amd/pmf/tee-if.c
View File

@ -249,11 +249,17 @@ static int amd_pmf_start_policy_engine(struct amd_pmf_dev *dev)
struct cookie_header *header;
int res;
if (dev->policy_sz < POLICY_COOKIE_OFFSET + sizeof(*header))
return -EINVAL;
header = (struct cookie_header *)(dev->policy_buf + POLICY_COOKIE_OFFSET);
if (header->sign != POLICY_SIGN_COOKIE || !header->length)
return -EINVAL;
if (dev->policy_sz < header->length + 512)
return -EINVAL;
/* Update the actual length */
dev->policy_sz = header->length + 512;
res = amd_pmf_invoke_cmd_init(dev);