Crypto: Prevent the scratch allocator from overflowing If the requested_size from the scratch allocator is greater than 0xfffffffc, the align macro overflows without failing allocation thus allowing out-of-bounds writes in the Crypto partition memory. Signed-off-by: Antonio de Angelis <antonio.deangelis@arm.com> Change-Id: Ic218fea8238ecd3e8d146586d2c413386870d580

commit: fc289ceb745eecd5d8e148082a1a005ca66dd1c4 [log] [tgz]
author: Antonio de Angelis <Antonio.deAngelis@arm.com> Fri Jul 05 11:02:25 2024 +0200
committer: Antonio de Angelis <Antonio.deAngelis@arm.com> Tue Sep 24 16:18:54 2024 +0200
tree: 26e0b68fc75ff72dcfe5ad27563c618151596287
parent: 2613b096a6f64fb0d687cdbe65b92f8a0b5538d9 [diff] [blame]
diff --git a/secure_fw/partitions/crypto/crypto_init.c b/secure_fw/partitions/crypto/crypto_init.c
index e6557c8..185bd57 100644
--- a/secure_fw/partitions/crypto/crypto_init.c
+++ b/secure_fw/partitions/crypto/crypto_init.c

@@ -112,6 +112,11 @@
 
 static psa_status_t tfm_crypto_alloc_scratch(size_t requested_size, void **buf)
 {
+    /* Prevent ALIGN() from overflowing */
+    if (requested_size > SIZE_MAX - (TFM_CRYPTO_IOVEC_ALIGNMENT - 1)) {
+        return PSA_ERROR_INSUFFICIENT_MEMORY;
+    }
+
     /* Ensure alloc_index remains aligned to the required iovec alignment */
     requested_size = ALIGN(requested_size, TFM_CRYPTO_IOVEC_ALIGNMENT);
commit	fc289ceb745eecd5d8e148082a1a005ca66dd1c4	[log] [tgz]
author	Antonio de Angelis <Antonio.deAngelis@arm.com>	Fri Jul 05 11:02:25 2024 +0200
committer	Antonio de Angelis <Antonio.deAngelis@arm.com>	Tue Sep 24 16:18:54 2024 +0200
tree	26e0b68fc75ff72dcfe5ad27563c618151596287
parent	2613b096a6f64fb0d687cdbe65b92f8a0b5538d9 [diff] [blame]