The length of the policy buffer is not validated before accessing it, which means that multiple out-of-bounds memory accesses can occur. This is especially bad since userspace can load policy binaries over debugfs. Compile-tested only. Signed-off-by: Armin Wolf <W_Armin@xxxxxx> --- drivers/platform/x86/amd/pmf/tee-if.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/drivers/platform/x86/amd/pmf/tee-if.c b/drivers/platform/x86/amd/pmf/tee-if.c index 70d09103ab18..f2f9204b3a11 100644 --- a/drivers/platform/x86/amd/pmf/tee-if.c +++ b/drivers/platform/x86/amd/pmf/tee-if.c @@ -249,12 +249,18 @@ static int amd_pmf_start_policy_engine(struct amd_pmf_dev *dev) u32 cookie, length; int res; + if (dev->policy_sz < POLICY_COOKIE_LEN) + return -EINVAL; + cookie = dev->policy_buf[POLICY_COOKIE_OFFSET]; length = dev->policy_buf[POLICY_COOKIE_LEN]; if (cookie != POLICY_SIGN_COOKIE || !length) return -EINVAL; + if (dev->policy_sz < length + 512) + return -EINVAL; + /* Update the actual length */ dev->policy_sz = length + 512; res = amd_pmf_invoke_cmd_init(dev); -- 2.39.2
