| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <aMzoPc67ws5NMpKS@sumit-X1>
Date: Fri, 19 Sep 2025 10:51:01 +0530
From: Sumit Garg <sumit.garg@...nel.org>
To: Dan Carpenter <dan.carpenter@...aro.org>
Cc: Amirreza Zarrabi <amirreza.zarrabi@....qualcomm.com>,
Jens Wiklander <jens.wiklander@...aro.org>,
linux-arm-msm@...r.kernel.org, op-tee@...ts.trustedfirmware.org,
linux-kernel@...r.kernel.org, kernel-janitors@...r.kernel.org
Subject: Re: [PATCH next] tee: qcom: prevent potential off by one read
On Thu, Sep 18, 2025 at 12:50:26PM +0300, Dan Carpenter wrote:
> Re-order these checks to check if "i" is a valid array index before using
> it. This prevents a potential off by one read access.
>
> Fixes: d6e290837e50 ("tee: add Qualcomm TEE driver")
> Signed-off-by: Dan Carpenter <dan.carpenter@...aro.org>
> ---
> drivers/tee/qcomtee/call.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
Reviewed-by: Sumit Garg <sumit.garg@....qualcomm.com>
-Sumit
>
> diff --git a/drivers/tee/qcomtee/call.c b/drivers/tee/qcomtee/call.c
> index cc17a48d0ab7..ac134452cc9c 100644
> --- a/drivers/tee/qcomtee/call.c
> +++ b/drivers/tee/qcomtee/call.c
> @@ -308,7 +308,7 @@ static int qcomtee_params_from_args(struct tee_param *params,
> }
>
> /* Release any IO and OO objects not processed. */
> - for (; u[i].type && i < num_params; i++) {
> + for (; i < num_params && u[i].type; i++) {
> if (u[i].type == QCOMTEE_ARG_TYPE_OO ||
> u[i].type == QCOMTEE_ARG_TYPE_IO)
> qcomtee_object_put(u[i].o);
> --
> 2.51.0
>
>
Powered by blists - more mailing lists