| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20240227145500.299683-2-W_Armin@gmx.de> Date: Tue, 27 Feb 2024 15:55:00 +0100 From: Armin Wolf <W_Armin@....de> To: Shyam-sundar.S-k@....com Cc: hdegoede@...hat.com, ilpo.jarvinen@...ux.intel.com, platform-driver-x86@...r.kernel.org, linux-kernel@...r.kernel.org Subject: [PATCH v2 2/2] platform/x86/amd/pmf: Fix possible out-of-bound memory accesses The length of the policy buffer is not validated before accessing it, which means that multiple out-of-bounds memory accesses can occur. This is especially bad since userspace can load policy binaries over debugfs. Compile-tested only. Signed-off-by: Armin Wolf <W_Armin@....de> --- Changes since v1: - check if the policy buffer also has enough room for storing the length --- drivers/platform/x86/amd/pmf/tee-if.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/drivers/platform/x86/amd/pmf/tee-if.c b/drivers/platform/x86/amd/pmf/tee-if.c index b3491268b6a0..09e3c620a9c7 100644 --- a/drivers/platform/x86/amd/pmf/tee-if.c +++ b/drivers/platform/x86/amd/pmf/tee-if.c @@ -249,12 +249,18 @@ static int amd_pmf_start_policy_engine(struct amd_pmf_dev *dev) u32 cookie, length; int res; + if (dev->policy_sz < POLICY_COOKIE_LEN + sizeof(length)) + return -EINVAL; + cookie = *(u32 *)(dev->policy_buf + POLICY_COOKIE_OFFSET); length = *(u32 *)(dev->policy_buf + POLICY_COOKIE_LEN); if (cookie != POLICY_SIGN_COOKIE || !length) return -EINVAL; + if (dev->policy_sz < length + 512) + return -EINVAL; + /* Update the actual length */ dev->policy_sz = length + 512; res = amd_pmf_invoke_cmd_init(dev); -- 2.39.2
Powered by blists - more mailing lists