colin/u-boot
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

tee: sandbox: check for buffer size

Browse Source 
Add additional check for buffer size when reading out persistent
storage value and provide back actual value size.

Signed-off-by: Igor Opaniuk <igor.opaniuk@gmail.com>
Reviewed-by: Oleksandr Suvorov <cryosay@gmail.com>
Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
This commit is contained in:
Igor Opaniuk
2024-04-21 22:48:39 +02:00
committed by Ilias Apalodimas
parent d097f9e129
commit 8800cbe9b8
1 changed files with 7 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
drivers/tee/sandbox.c
View File

@@ -174,7 +174,7 @@ static u32 ta_avb_invoke_func(struct udevice *dev, u32 func, uint num_params,
uint slot; uint slot;
u64 val; u64 val;
char *value; char *value;
u32 value_sz; u32 value_sz, tmp_sz;
switch (func) { switch (func) {
case TA_AVB_CMD_READ_ROLLBACK_INDEX: case TA_AVB_CMD_READ_ROLLBACK_INDEX:
@@ -267,8 +267,12 @@ static u32 ta_avb_invoke_func(struct udevice *dev, u32 func, uint num_params,
if (!ep) if (!ep)
return TEE_ERROR_ITEM_NOT_FOUND; return TEE_ERROR_ITEM_NOT_FOUND;
value_sz = strlen(ep->data) + 1; tmp_sz = strlen(ep->data) + 1;
memcpy(value, ep->data, value_sz); if (value_sz < tmp_sz)
return TEE_ERROR_SHORT_BUFFER;
memcpy(value, ep->data, tmp_sz);
params[1].u.memref.size = tmp_sz;
return TEE_SUCCESS; return TEE_SUCCESS;
case TA_AVB_CMD_WRITE_PERSIST_VALUE: case TA_AVB_CMD_WRITE_PERSIST_VALUE: