diff options
| author | Marc Bonnici <marc.bonnici@arm.com> | 2022-10-18 13:57:16 +0100 |
|---|---|---|
| committer | Joanna Farley <joanna.farley@arm.com> | 2022-11-07 14:39:33 +0100 |
| commit | 21ed9ea32325fc556fa7e907e4995888bd3a3b45 (patch) | |
| tree | 7788626b4ba7e0e03a2e025bac9215876d6b99a5 /services/std_svc | |
| parent | 0dc35186669ddaedb3a932e103c3976bc3bf75d6 (diff) | |
| download | arm-trusted-firmware-21ed9ea32325fc556fa7e907e4995888bd3a3b45.tar.gz | |
fix(el3-spmc): fix location of fragment length check
Ensure that the fragment_length parameter is validated to prevent
a buffer overflow before it is used. Reported by Matt Oh, Google Android Red Team.
Reported-by: mattoh@google.com
Signed-off-by: Marc Bonnici <marc.bonnici@arm.com>
Change-Id: I0323c096ffd988fbd85bbd4ade3abd8427aea977
Diffstat (limited to 'services/std_svc')
| -rw-r--r-- | services/std_svc/spm/el3_spmc/spmc_shared_mem.c | 6 |
1 files changed, 3 insertions, 3 deletions
diff --git a/services/std_svc/spm/el3_spmc/spmc_shared_mem.c b/services/std_svc/spm/el3_spmc/spmc_shared_mem.c index 6f6d273d6..d4d0407c1 100644 --- a/services/std_svc/spm/el3_spmc/spmc_shared_mem.c +++ b/services/std_svc/spm/el3_spmc/spmc_shared_mem.c @@ -885,9 +885,6 @@ static long spmc_ffa_fill_desc(struct mailbox *mbox, goto err_arg; } - memcpy((uint8_t *)&obj->desc + obj->desc_filled, - (uint8_t *) mbox->tx_buffer, fragment_length); - if (fragment_length > obj->desc_size - obj->desc_filled) { WARN("%s: bad fragment size %u > %zu remaining\n", __func__, fragment_length, obj->desc_size - obj->desc_filled); @@ -895,6 +892,9 @@ static long spmc_ffa_fill_desc(struct mailbox *mbox, goto err_arg; } + memcpy((uint8_t *)&obj->desc + obj->desc_filled, + (uint8_t *) mbox->tx_buffer, fragment_length); + /* Ensure that the sender ID resides in the normal world. */ if (ffa_is_secure_world_id(obj->desc.sender_id)) { WARN("%s: Invalid sender ID 0x%x.\n", |