tfm_spe_mailbox: Do not write-back on input vectors checks failure
If the validation of the vector parameters fails, the outvec are written
back regardless.
This may cause an out-of-bound write from the address that was previously
stored in original_out_vec and the length that could go passed the local
out_vec.
Note that this fix requires:
`tfm_spe_mailbox: Validate vectors from NSPE`
Prior to this change and the one above, it is possible to craft a couple
of mailbox messages to first write in vectors[1].in_vec a target value,
then a second message with:
- a out_vec.len to go past out_vec[0], 6 for example
- a target address for a PSA-ROT private storage, `ps_crypto_iv_buf`
for example.
Signed-off-by: Nicola Mazzucato <nicola.mazzucato@arm.com>
Change-Id: Iadff8d6ba8160c1b757e6a1a9622473781b2027c
(cherry picked from commit 5ae0a02e847335f4e35ae6aa0b68b80280794776)
1 file changed