OpenE2K/linux
6
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

tee: amdtee: out of bounds read in find_session()

Browse Source 
The "index" is a user provided value from 0-USHRT_MAX.  If it's over
TEE_NUM_SESSIONS (31) then it results in an out of bounds read when we
call test_bit(index, sess->sess_mask).

Fixes: 757cc3e9ff ("tee: add AMD-TEE driver")
Acked-by: Rijo Thomas <Rijo-john.Thomas@amd.com>
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
This commit is contained in:
Dan Carpenter 2020-02-27 19:19:54 +03:00 committed by Jens Wiklander
parent 11a48a5a18
commit 36fa3e5008
1 changed files with 3 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
drivers/tee/amdtee/core.c
View File

@ -139,6 +139,9 @@ static struct amdtee_session *find_session(struct amdtee_context_data *ctxdata,
u32 index = get_session_index(session);
struct amdtee_session *sess;
if (index >= TEE_NUM_SESSIONS)
return NULL;
list_for_each_entry(sess, &ctxdata->sess_list, list_node)
if (ta_handle == sess->ta_handle &&
test_bit(index, sess->sess_mask))