Eo id: Fix id security checks for invalid objects.

In some cases, invalid object ids (e.g 0x1) would pass validation and
represent completely different objects (0x80...01). This happened because
we weren't properly checking a given object id is actually an object id.

@fix.

1 files changed, 7 insertions, 0 deletions

diff --git a/src/lib/eo/eo_ptr_indirection.x b/src/lib/eo/eo_ptr_indirection.x
index 8a15c7d8c0..dbdf16864e 100644
--- a/src/lib/eo/eo_ptr_indirection.x
+++ b/src/lib/eo/eo_ptr_indirection.x
@@ -100,6 +100,7 @@ typedef uint32_t Generation_Counter;
 #define MASK_TABLE_ID         ((1 << BITS_TABLE_ID) - 1)
 #define MASK_ENTRY_ID         ((1 << BITS_ENTRY_ID) - 1)
 #define MASK_GENERATIONS      (MAX_GENERATIONS - 1)
+#define MASK_OBJ_TAG          (((Eo_Id) 1) << (REF_TAG_SHIFT))
 
 /* This only applies to classes. Used to artificially enlarge the class ids
  * to reduce the likelihood of a clash with normal integers. */
@@ -273,6 +274,12 @@ _eo_obj_pointer_get(const Eo_Id obj_id)
         DBG("obj_id is NULL. Possibly unintended access?");
         return NULL;
      }
+   else if (!(obj_id & MASK_OBJ_TAG))
+     {
+        DBG("obj_id is not a valid object id.");
+        return NULL;
+     }
+
    EO_DECOMPOSE_ID(obj_id, mid_table_id, table_id, entry_id, generation);
 
    /* Check the validity of the entry */