Received: by 2002:a25:e7d8:0:0:0:0:0 with SMTP id e207csp347793ybh; Mon, 9 Mar 2020 23:23:18 -0700 (PDT) X-Google-Smtp-Source: ADFU+vs3NbYNseS+VaiYRdTImgKgsX/xyB37R5HXxRo6FCBS8UnzsHkWDDIz2JfG1CnPYnYfijm0 X-Received: by 2002:a05:6830:1cc:: with SMTP id r12mr12592992ota.362.1583821398648; Mon, 09 Mar 2020 23:23:18 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1583821398; cv=pass; d=google.com; s=arc-20160816; b=m6Sei/poeydXf+XRnMmhBALxWnKi/XysirYJ/23sIG+FDGeliR92B4lVs4n8nBEKIo msiJSOSAm+osXTq9gmVKJqda4rzd2jkmFBBnj7mI04aVdUv2P/Dp2yXOhohG66jB8Bu9 xf2Xa3IXWZR1P/U8hKpO/9fAtYpmBLgz53tF+Q7gR6fJ6Kw80H/DpcMe1E2tIHYX8YEC hLe4gTTgUX+p0r93/rpOEfQDJmOn+YzuLZKhUOCNybbYHFbJPGdm2c9FKM1WwhgfsMgb F8yNPgihkdUYxIJDm23G9+SuQ+YtSSFE259MTlFA+blKmWHillhciZicJkp/ftWByzgW li8Q== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:content-transfer-encoding :content-language:in-reply-to:user-agent:date:message-id:from :references:cc:to:subject:dkim-signature; bh=HT13jeaCEWBW0udbzXSdtBT1dGkZwcuskeb8J3nR3vc=; b=ejQAG8gUGPv0CIIGFyP0IYfiqs3fIJCK/ur+Y8LrDsgbjyjYSMgH4yeTCw/SXBmFfb JU1NCz2oGHGlsuR+i77rjHrzZslQxohviskDW0NogjE/2mVB377/cVVoRVEaQICmTrPw 2QS24fnokABjGZdiC6IiWQEkzOq07doYgGAUwpXjfGdGW+jJ7CIZ3+ZnmmpkAxC0izeJ +A6TburoQ9huOEiJZMm6KoD3VGfXcIwxOA4jcZa8CiLh4thUU9KtP88zgJ38sHpV8zHD iQKsSygFAzoMdH2aDaUEJV8rvKMGm73hlM+wus2/bcrevTTxo/w+EJFkeplH44VEISvz /V+w== ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@amdcloud.onmicrosoft.com header.s=selector2-amdcloud-onmicrosoft-com header.b=ZiSo9QH6; arc=pass (i=1 spf=pass spfdomain=amd.com dkim=pass dkdomain=amd.com dmarc=pass fromdomain=amd.com); spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id j2si1851489oii.195.2020.03.09.23.23.06; Mon, 09 Mar 2020 23:23:18 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@amdcloud.onmicrosoft.com header.s=selector2-amdcloud-onmicrosoft-com header.b=ZiSo9QH6; arc=pass (i=1 spf=pass spfdomain=amd.com dkim=pass dkdomain=amd.com dmarc=pass fromdomain=amd.com); spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726410AbgCJGWR (ORCPT + 99 others); Tue, 10 Mar 2020 02:22:17 -0400 Received: from mail-eopbgr760040.outbound.protection.outlook.com ([40.107.76.40]:21949 "EHLO NAM02-CY1-obe.outbound.protection.outlook.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1726252AbgCJGWQ (ORCPT ); Tue, 10 Mar 2020 02:22:16 -0400 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=nekpuUfqisksp2Vu8x6Erk8IgWIi942plJsIlgtXzIePHMLN+cGg6ti0oROpQI+zOkw3v8jb3CkjRBLoX8Cp/C3Fh8BLPM9dBBRQsxVy23Amtxw56YCAF4/S0J3/Z1nUCS6w3fE1OZanawn25mRs9juv2b+uqgahL9SXDMg24V5l1p9Is61TB6V6tn9Q2dfKI6aBs8N/sirGUZgpyoPJoxQ0GoZNGzKy22xBN+gsoc11BL1PdT6PprTv16k5OQxyPolKhp/SQyj5VDVsV1T7hubPrXP6kmN9cO5tXKx/iNNZASDVqWPQHBqkY9UhAr6jNGDLRyM/1/7f16e/pNy/3g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=HT13jeaCEWBW0udbzXSdtBT1dGkZwcuskeb8J3nR3vc=; b=GyblzebvPXlGQ7lZa9Vt7e64jZpD+E2oapAuqOrpGNRpajH1JWXSfE7ymigUyJvkSwswmCalewp9C5r7EyjUX9KH0e9FjNaFO53rkdYKttPFi+kovnb/8hyn874Ny2sTmFiaM3BbhXxj7pvsT1u/84wjlCzqMC6VL8NFacKEXwFBcngkIxbN7uoilwytboKwpOWRWYbx9MegUFZ/GEDsJYmP62Fei7q85MpJMMjr1yJimJZ2c6xQMkObueMUwzcnKeEj/aJwqYUFxdfpyhVgyjRnVUPlpXH38yCW6dwpJmsK+7bU51zI3VvGd9nrkzzmfCxGuDal0mDsGnR3D60ENQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=amd.com; dmarc=pass action=none header.from=amd.com; dkim=pass header.d=amd.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amdcloud.onmicrosoft.com; s=selector2-amdcloud-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=HT13jeaCEWBW0udbzXSdtBT1dGkZwcuskeb8J3nR3vc=; b=ZiSo9QH6stB8V8hRI+nB34LIj4mGmYWi5x+b9dBLEGHch9/PP1c/O8acqfj3WuzWzx+hGBvt1x5zJP9dKFOp2/MJyaQ8sdGorEw+o24Iv8ruiXv836cQ3Pr68rg7JHjc1Kl4gXF/uNyxjeu5P6EUtBC3Ue/NWtzuZWEYMXASWs0= Authentication-Results: spf=none (sender IP is ) smtp.mailfrom=Rijo-john.Thomas@amd.com; Received: from CY4PR12MB1925.namprd12.prod.outlook.com (2603:10b6:903:120::7) by CY4PR12MB1590.namprd12.prod.outlook.com (2603:10b6:910:a::8) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2793.17; Tue, 10 Mar 2020 06:22:12 +0000 Received: from CY4PR12MB1925.namprd12.prod.outlook.com ([fe80::ccd2:2608:7a9:6ae7]) by CY4PR12MB1925.namprd12.prod.outlook.com ([fe80::ccd2:2608:7a9:6ae7%10]) with mapi id 15.20.2793.013; Tue, 10 Mar 2020 06:22:12 +0000 Subject: Re: [PATCH] tee: amdtee: out of bounds read in find_session() To: Dan Carpenter , Jens Wiklander Cc: Herbert Xu , Devaraj Rangasamy , tee-dev@lists.linaro.org, linux-kernel@vger.kernel.org, kernel-janitors@vger.kernel.org References: <20200227161954.fo7pbbgomdjkraxq@kili.mountain> From: Rijo Thomas Message-ID: <0840f77c-6ebd-eafd-6fa5-bc1c2b90f580@amd.com> Date: Tue, 10 Mar 2020 11:52:01 +0530 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.4.1 In-Reply-To: <20200227161954.fo7pbbgomdjkraxq@kili.mountain> Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit X-ClientProxiedBy: MA1PR0101CA0020.INDPRD01.PROD.OUTLOOK.COM (2603:1096:a00:21::30) To CY4PR12MB1925.namprd12.prod.outlook.com (2603:10b6:903:120::7) MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 Received: from [10.138.129.230] (165.204.156.251) by MA1PR0101CA0020.INDPRD01.PROD.OUTLOOK.COM (2603:1096:a00:21::30) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2793.15 via Frontend Transport; Tue, 10 Mar 2020 06:22:09 +0000 X-Originating-IP: [165.204.156.251] X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-HT: Tenant X-MS-Office365-Filtering-Correlation-Id: 5eb2f6bd-51ef-4fa7-2e49-08d7c4bb5e6d X-MS-TrafficTypeDiagnostic: CY4PR12MB1590:|CY4PR12MB1590: X-MS-Exchange-Transport-Forked: True X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:3826; X-Forefront-PRVS: 033857D0BD X-Forefront-Antispam-Report: SFV:NSPM;SFS:(10009020)(4636009)(136003)(366004)(396003)(346002)(39860400002)(376002)(199004)(189003)(110136005)(6486002)(16576012)(8936002)(52116002)(66556008)(66476007)(2906002)(478600001)(66946007)(53546011)(26005)(54906003)(81166006)(5660300002)(186003)(81156014)(8676002)(16526019)(956004)(31686004)(86362001)(31696002)(316002)(2616005)(6666004)(36756003)(4326008);DIR:OUT;SFP:1101;SCL:1;SRVR:CY4PR12MB1590;H:CY4PR12MB1925.namprd12.prod.outlook.com;FPR:;SPF:None;LANG:en;PTR:InfoNoRecords;A:1;MX:1; Received-SPF: None (protection.outlook.com: amd.com does not designate permitted sender hosts) X-MS-Exchange-SenderADCheck: 1 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: 69D2CV0q7VtxymaDvw9klmSVx9wch+ExAKX1AriXWypI6CTMouKXv0xeOAPc7Sw7yhPswmkYDm2L36FvARRXocODQj8LW487Ogk0moNQE+LSTfghrvX0rOAK/6xyS9ajuyFpNWE/tXjJ5lW3Z0K2/zIRkdTpVtJdZvT98/AocQdVqMmASaXgHI+S+1MewWxf4UazM1ONTsk2/NepNxXQvdlVeplWGKfgRAn1gPBsSRpn+8qWTaHxIA3hTMUiF1lYGFcpeX3BoIjLvZWowXYghsdYbUVXtfBZ9Q0BFdeXEfF8a1Db9MbTFCz3+qkXqqqcCTLX/GdzKA/XrHbI4Zb2qLWxwmb2EvGcClBd1wjw66s/YatJRbM2l3v67iWB3eShEbjl7W4Wva7k+jQV4sHWriDAjTLms8JOY9DNnazxIQAHgjUtHdmbwWsHHZeaD8DH X-MS-Exchange-AntiSpam-MessageData: FaiqGbCKcqwls5v8GMDdsKeRjo+6Lm6ooNtpA6kquur1vVWTGtEykqCxwG7Jc3gIW3oUj90ohMYWLxpalW+SGzALXVsmjeal31AsSzbsaMeMqz1hQd/eDL7Y07O0Ua8lGXnFx60/MUnlZ6UFkQI3cw== X-OriginatorOrg: amd.com X-MS-Exchange-CrossTenant-Network-Message-Id: 5eb2f6bd-51ef-4fa7-2e49-08d7c4bb5e6d X-MS-Exchange-CrossTenant-OriginalArrivalTime: 10 Mar 2020 06:22:12.0265 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 3dd8961f-e488-4e60-8e11-a82d994e183d X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: t5SpG4YCjx7hPnhjbPFE8pT2Ej70i2I5oPvQUncu9GD4CbMGeymZES0qCAsYswznN0GAsdRNf0CU8U7K/Gieyw== X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY4PR12MB1590 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 27/02/20 9:49 pm, Dan Carpenter wrote: > The "index" is a user provided value from 0-USHRT_MAX. If it's over > TEE_NUM_SESSIONS (31) then it results in an out of bounds read when we > call test_bit(index, sess->sess_mask). > > Fixes: 757cc3e9ff1d ("tee: add AMD-TEE driver") > Signed-off-by: Dan Carpenter Acked-by: Rijo Thomas Thanks, Rijo > --- > drivers/tee/amdtee/core.c | 3 +++ > 1 file changed, 3 insertions(+) > > diff --git a/drivers/tee/amdtee/core.c b/drivers/tee/amdtee/core.c > index 6370bb55f512..dbc238c7c263 100644 > --- a/drivers/tee/amdtee/core.c > +++ b/drivers/tee/amdtee/core.c > @@ -139,6 +139,9 @@ static struct amdtee_session *find_session(struct amdtee_context_data *ctxdata, > u32 index = get_session_index(session); > struct amdtee_session *sess; > > + if (index >= TEE_NUM_SESSIONS) > + return NULL; > + > list_for_each_entry(sess, &ctxdata->sess_list, list_node) > if (ta_handle == sess->ta_handle && > test_bit(index, sess->sess_mask)) >