Commit 36fa3e50 authored by Dan Carpenter's avatar Dan Carpenter Committed by Jens Wiklander

tee: amdtee: out of bounds read in find_session()

The "index" is a user provided value from 0-USHRT_MAX.  If it's over
TEE_NUM_SESSIONS (31) then it results in an out of bounds read when we
call test_bit(index, sess->sess_mask).

Fixes: 757cc3e9 ("tee: add AMD-TEE driver")
Acked-by: default avatarRijo Thomas <Rijo-john.Thomas@amd.com>
Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: default avatarJens Wiklander <jens.wiklander@linaro.org>
parent 11a48a5a
...@@ -139,6 +139,9 @@ static struct amdtee_session *find_session(struct amdtee_context_data *ctxdata, ...@@ -139,6 +139,9 @@ static struct amdtee_session *find_session(struct amdtee_context_data *ctxdata,
u32 index = get_session_index(session); u32 index = get_session_index(session);
struct amdtee_session *sess; struct amdtee_session *sess;
if (index >= TEE_NUM_SESSIONS)
return NULL;
list_for_each_entry(sess, &ctxdata->sess_list, list_node) list_for_each_entry(sess, &ctxdata->sess_list, list_node)
if (ta_handle == sess->ta_handle && if (ta_handle == sess->ta_handle &&
test_bit(index, sess->sess_mask)) test_bit(index, sess->sess_mask))
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment