commit 49a875007e93bf7b1042ba45dd9f6853ed1dd9b9
author Jens Wiklander <jens.wiklander@linaro.org> Mon Jun 21 13:39:49 2021 +0200
committer Jérôme Forissier <jerome@forissier.org> Wed Jun 23 15:15:10 2021 +0200
tree 08ac2ec3db2f4397e90302c2aaa29af2524eb36d
parent 1b02ce1d6e582888bad51eeadfb3336887c7d501

core: add more overflow checks in ree_fs_ta_open()

Adds more overflow checks in ree_fs_ta_open() and also checks that the
encrypted header (struct shdr_encrypted_ta) also fits in the size of the
TA binary.

The latter check is needed to guard against fabricated values in struct
shdr_encrypted_ta for iv_size and/or tag_size which could trick OP-TEE
to read beyond the end of the buffer where the TA was loaded.

Reading beyond the end of the TA buffer would normally result in a crash
or if there's a valid mappings just after just a failure to load the TA.
No unchecked code will be executed, but it may result in a secure world
crash.

So this commit will check that the iv_size and tag_size values can point
to a valid buffer before attempting to read and thus prevent a crash.

Reviewed-by: Jerome Forissier <jerome@forissier.org>
Reviewed-by: Ruchika Gupta <ruchika.gupta@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Reported-by: Patrik Lantz <Patrik.Lantz@axis.com>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>