Commit 83e007a0 authored by Carlo Caione's avatar Carlo Caione Committed by Kevin Hilman

firmware: meson-sm: Check for buffer output size

After the data is read by the secure monitor driver it is being copied
in the output buffer checking only the size of the bounce buffer but not
the size of the output buffer.

Fix this in the secure monitor driver slightly changing the API. Fix
also the efuse driver that it is the only driver using this API to not
break bisectability.
Signed-off-by: default avatarCarlo Caione <carlo@endlessm.com>
Acked-by: Srinivas Kandagatla <srinivas.kandagatla@linaro.org> # for nvmem
Acked-by: default avatarMark Rutland <mark.rutland@arm.com>
Signed-off-by: default avatarKevin Hilman <khilman@baylibre.com>
parent c1ae3cfa
...@@ -127,6 +127,7 @@ EXPORT_SYMBOL(meson_sm_call); ...@@ -127,6 +127,7 @@ EXPORT_SYMBOL(meson_sm_call);
* meson_sm_call_read - retrieve data from secure-monitor * meson_sm_call_read - retrieve data from secure-monitor
* *
* @buffer: Buffer to store the retrieved data * @buffer: Buffer to store the retrieved data
* @bsize: Size of the buffer
* @cmd_index: Index of the SMC32 function ID * @cmd_index: Index of the SMC32 function ID
* @arg0: SMC32 Argument 0 * @arg0: SMC32 Argument 0
* @arg1: SMC32 Argument 1 * @arg1: SMC32 Argument 1
...@@ -136,8 +137,8 @@ EXPORT_SYMBOL(meson_sm_call); ...@@ -136,8 +137,8 @@ EXPORT_SYMBOL(meson_sm_call);
* *
* Return: size of read data on success, a negative value on error * Return: size of read data on success, a negative value on error
*/ */
int meson_sm_call_read(void *buffer, unsigned int cmd_index, u32 arg0, int meson_sm_call_read(void *buffer, unsigned int bsize, unsigned int cmd_index,
u32 arg1, u32 arg2, u32 arg3, u32 arg4) u32 arg0, u32 arg1, u32 arg2, u32 arg3, u32 arg4)
{ {
u32 size; u32 size;
...@@ -147,10 +148,13 @@ int meson_sm_call_read(void *buffer, unsigned int cmd_index, u32 arg0, ...@@ -147,10 +148,13 @@ int meson_sm_call_read(void *buffer, unsigned int cmd_index, u32 arg0,
if (!fw.chip->cmd_shmem_out_base) if (!fw.chip->cmd_shmem_out_base)
return -EINVAL; return -EINVAL;
if (bsize > fw.chip->shmem_size)
return -EINVAL;
if (meson_sm_call(cmd_index, &size, arg0, arg1, arg2, arg3, arg4) < 0) if (meson_sm_call(cmd_index, &size, arg0, arg1, arg2, arg3, arg4) < 0)
return -EINVAL; return -EINVAL;
if (!size || size > fw.chip->shmem_size) if (!size || size > bsize)
return -EINVAL; return -EINVAL;
if (buffer) if (buffer)
......
...@@ -27,7 +27,7 @@ static int meson_efuse_read(void *context, unsigned int offset, ...@@ -27,7 +27,7 @@ static int meson_efuse_read(void *context, unsigned int offset,
u8 *buf = val; u8 *buf = val;
int ret; int ret;
ret = meson_sm_call_read(buf, SM_EFUSE_READ, offset, ret = meson_sm_call_read(buf, bytes, SM_EFUSE_READ, offset,
bytes, 0, 0, 0); bytes, 0, 0, 0);
if (ret < 0) if (ret < 0)
return ret; return ret;
......
...@@ -25,7 +25,7 @@ int meson_sm_call(unsigned int cmd_index, u32 *ret, u32 arg0, u32 arg1, ...@@ -25,7 +25,7 @@ int meson_sm_call(unsigned int cmd_index, u32 *ret, u32 arg0, u32 arg1,
u32 arg2, u32 arg3, u32 arg4); u32 arg2, u32 arg3, u32 arg4);
int meson_sm_call_write(void *buffer, unsigned int b_size, unsigned int cmd_index, int meson_sm_call_write(void *buffer, unsigned int b_size, unsigned int cmd_index,
u32 arg0, u32 arg1, u32 arg2, u32 arg3, u32 arg4); u32 arg0, u32 arg1, u32 arg2, u32 arg3, u32 arg4);
int meson_sm_call_read(void *buffer, unsigned int cmd_index, u32 arg0, u32 arg1, int meson_sm_call_read(void *buffer, unsigned int bsize, unsigned int cmd_index,
u32 arg2, u32 arg3, u32 arg4); u32 arg0, u32 arg1, u32 arg2, u32 arg3, u32 arg4);
#endif /* _MESON_SM_FW_H_ */ #endif /* _MESON_SM_FW_H_ */
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment