The length of the policy buffer is not validated before accessing it, which means that multiple out-of-bounds memory accesses can occur. This is especially bad since userspace can load policy binaries over debugfs. Compile-tested only. Signed-off-by: Armin Wolf <W_Armin@xxxxxx> --- Changes since v1: - check if the policy buffer also has enough room for storing the length --- drivers/platform/x86/amd/pmf/tee-if.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/drivers/platform/x86/amd/pmf/tee-if.c b/drivers/platform/x86/amd/pmf/tee-if.c index b3491268b6a0..09e3c620a9c7 100644 --- a/drivers/platform/x86/amd/pmf/tee-if.c +++ b/drivers/platform/x86/amd/pmf/tee-if.c @@ -249,12 +249,18 @@ static int amd_pmf_start_policy_engine(struct amd_pmf_dev *dev) u32 cookie, length; int res; + if (dev->policy_sz < POLICY_COOKIE_LEN + sizeof(length)) + return -EINVAL; + cookie = *(u32 *)(dev->policy_buf + POLICY_COOKIE_OFFSET); length = *(u32 *)(dev->policy_buf + POLICY_COOKIE_LEN); if (cookie != POLICY_SIGN_COOKIE || !length) return -EINVAL; + if (dev->policy_sz < length + 512) + return -EINVAL; + /* Update the actual length */ dev->policy_sz = length + 512; res = amd_pmf_invoke_cmd_init(dev); -- 2.39.2
