This patch series fixes various issues inside the policy binary
handling code.
The first patch makes sure that a valid error code is returned upon
failing to start the policy engine, while the second patch drops the
usage of readl() on non-io memory.
The last two patches fix a possible out-of-bounds memory access when
parsing the policy binary header.
All patches are compile-tested only.
Changes since v2:
- add patches 1 and 3
Changes since v1:
- get the full dword instead of only 8 bits when reading the header
- check if the policy buffer also has enough room for storing the length
Armin Wolf (4):
platform/x86/amd/pmf: Fix return value of
amd_pmf_start_policy_engine()
platform/x86/amd/pmf: Do not use readl() for policy buffer access
platform/x86/amd/pmf: Use struct for cookie header
platform/x86/amd/pmf: Fix possible out-of-bound memory accesses
drivers/platform/x86/amd/pmf/pmf.h | 6 +++++-
drivers/platform/x86/amd/pmf/tee-if.c | 21 +++++++++++++--------
2 files changed, 18 insertions(+), 9 deletions(-)
--
2.39.2
The policy buffer is allocated using normal memory allocation
functions, so readl() should not be used on it.
Compile-tested only.
Fixes: 7c45534afa44 ("platform/x86/amd/pmf: Add support for PMF Policy Binary")
Signed-off-by: Armin Wolf <[email protected]>
---
drivers/platform/x86/amd/pmf/tee-if.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/platform/x86/amd/pmf/tee-if.c b/drivers/platform/x86/amd/pmf/tee-if.c
index 13dd4462e1e3..58ec2c9606e1 100644
--- a/drivers/platform/x86/amd/pmf/tee-if.c
+++ b/drivers/platform/x86/amd/pmf/tee-if.c
@@ -249,8 +249,8 @@ static int amd_pmf_start_policy_engine(struct amd_pmf_dev *dev)
u32 cookie, length;
int res;
- cookie = readl(dev->policy_buf + POLICY_COOKIE_OFFSET);
- length = readl(dev->policy_buf + POLICY_COOKIE_LEN);
+ cookie = *(u32 *)(dev->policy_buf + POLICY_COOKIE_OFFSET);
+ length = *(u32 *)(dev->policy_buf + POLICY_COOKIE_LEN);
if (cookie != POLICY_SIGN_COOKIE || !length)
return -EINVAL;
--
2.39.2
On 3/5/2024 02:20, Armin Wolf wrote:
> This patch series fixes various issues inside the policy binary
> handling code.
> The first patch makes sure that a valid error code is returned upon
> failing to start the policy engine, while the second patch drops the
> usage of readl() on non-io memory.
> The last two patches fix a possible out-of-bounds memory access when
> parsing the policy binary header.
>
> All patches are compile-tested only.
>
> Changes since v2:
> - add patches 1 and 3
>
> Changes since v1:
> - get the full dword instead of only 8 bits when reading the header
> - check if the policy buffer also has enough room for storing the length
Thank you Armin. Series looks good to me.
Reviewed-by: Shyam Sundar S K [email protected]
>
> Armin Wolf (4):
> platform/x86/amd/pmf: Fix return value of
> amd_pmf_start_policy_engine()
> platform/x86/amd/pmf: Do not use readl() for policy buffer access
> platform/x86/amd/pmf: Use struct for cookie header
> platform/x86/amd/pmf: Fix possible out-of-bound memory accesses
>
> drivers/platform/x86/amd/pmf/pmf.h | 6 +++++-
> drivers/platform/x86/amd/pmf/tee-if.c | 21 +++++++++++++--------
> 2 files changed, 18 insertions(+), 9 deletions(-)
>
> --
> 2.39.2
>
On Mon, 04 Mar 2024 21:50:01 +0100, Armin Wolf wrote:
> This patch series fixes various issues inside the policy binary
> handling code.
> The first patch makes sure that a valid error code is returned upon
> failing to start the policy engine, while the second patch drops the
> usage of readl() on non-io memory.
> The last two patches fix a possible out-of-bounds memory access when
> parsing the policy binary header.
>
> [...]
Thank you for your contribution, it has been applied to my local
review-ilpo branch. Note it will show up in the public
platform-drivers-x86/review-ilpo branch only once I've pushed my
local branch there, which might take a while.
The list of commits applied:
[1/4] platform/x86/amd/pmf: Fix return value of amd_pmf_start_policy_engine()
commit: 98cfcece0ab86c99bc106633d764fb6ad4a35b8e
[2/4] platform/x86/amd/pmf: Do not use readl() for policy buffer access
commit: 379a7c64c4fa33315b504ede86a87188dc88fef4
[3/4] platform/x86/amd/pmf: Use struct for cookie header
commit: a87d92223084f61d37da4952ad68634ea8a7caaf
[4/4] platform/x86/amd/pmf: Fix possible out-of-bound memory accesses
commit: 1e7a14ee259e2ff85be51bf36a7692b20233159a
--
i.
On Wed, 6 Mar 2024, Shyam Sundar S K wrote:
> On 3/5/2024 02:20, Armin Wolf wrote:
> > This patch series fixes various issues inside the policy binary
> > handling code.
> > The first patch makes sure that a valid error code is returned upon
> > failing to start the policy engine, while the second patch drops the
> > usage of readl() on non-io memory.
> > The last two patches fix a possible out-of-bounds memory access when
> > parsing the policy binary header.
> >
> > All patches are compile-tested only.
> >
> > Changes since v2:
> > - add patches 1 and 3
> >
> > Changes since v1:
> > - get the full dword instead of only 8 bits when reading the header
> > - check if the policy buffer also has enough room for storing the length
>
> Thank you Armin. Series looks good to me.
>
> Reviewed-by: Shyam Sundar S K [email protected]
Thanks for taking a look.
Btw, you were missing <> around the address so the patchwork automation
didn't catch that line. To help the patchwork to capture that tag (no need
for you to do anything):
Reviewed-by: Shyam Sundar S K <[email protected]>
--
i.
> > Armin Wolf (4):
> > platform/x86/amd/pmf: Fix return value of
> > amd_pmf_start_policy_engine()
> > platform/x86/amd/pmf: Do not use readl() for policy buffer access
> > platform/x86/amd/pmf: Use struct for cookie header
> > platform/x86/amd/pmf: Fix possible out-of-bound memory accesses