Received: by 2002:ab2:26cd:0:b0:1ed:3240:60d6 with SMTP id c13csp501819lqf;
        Mon, 4 Mar 2024 12:51:14 -0800 (PST)
X-Forwarded-Encrypted: i=3; AJvYcCW1ESELk2Yb5CWgug/zvfTfESvqc7JhjLshl6QhrqTtOyRmcQa9g+FtcfBnDyEOKcF415QDTOXHmGMtfQ2KMZZYbW23kjmSP/VnbBxVYw==
X-Google-Smtp-Source: AGHT+IENM7Erzs+cdHuPf0vC8cK+knJF6i3ToAVTdkcnvfmKyPd+RoWBsf9itKsUeDXNV0bTI5ag
X-Received: by 2002:a17:906:d045:b0:a44:5589:c098 with SMTP id bo5-20020a170906d04500b00a445589c098mr7190993ejb.7.1709585474272;
        Mon, 04 Mar 2024 12:51:14 -0800 (PST)
ARC-Seal: i=2; a=rsa-sha256; t=1709585474; cv=pass;
        d=google.com; s=arc-20160816;
        b=HPB/wGeDkvQsGcwQx9Hz4bz0S570aTusRiy5HpWceIFqAKHXDUVLMXUsrZZawYv7e9
         BB/rXkWfz+BFmDkB9bFJE+VSaroj+xVggCPu60eyNo8UdweX7q1ZoGU7W/koPuWcvLnV
         66l7x2ICsro1KoSAl1J8o79zdB5CGJl1ocFEGaUBu54OTV9nFfte7xWEwSjhvjAJFAVP
         L7hY/d3ETpNvEH7teBnkJOYHxxl9JKYoWm/BO0Oe4dl4TmN1KIuUN7q0wMgG4cS8QQH/
         3JN7uEsrkfq+pfzgdXNjnKBDpIiI/Xg6j6Ij8Xuu+gYW5x5CHItQypReR1bEmSyHyDfw
         nckw==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=ui-outboundreport:content-transfer-encoding:mime-version
         :list-unsubscribe:list-subscribe:list-id:precedence:references
         :in-reply-to:message-id:date:subject:cc:to:from:dkim-signature;
        bh=FVIante6SnTMdEMo20pIU2G1k8gWzeZdkK4s/s9HLY0=;
        fh=Iw0cdpf9yN87ufu137c7ThcNR/cLOoX+JIMwqQQfbho=;
        b=DehCCuMsoEKet3ESUz9SoHKI6dBXOYruAg8Q29sYEQN7aF/Mexy37LmKIp7kHvUuss
         oHR6UWVSVtKadd4VDCK7HZu4SKFXA0sf4Dv/QnWvW2BR/I+TOJ67FPPD48Z6SZ0H4f9w
         YM81zxzKhoVYsmUK+Iyw1W3WS6n7u3EfTLP45QAWwGkE2Om3vEoaUN+gbUz18P0chV4q
         iy8wuZ4gAFrvAzZh4P62/lYo1x8F3yGTeHAez4H5KdbcKLg22cizHHRcdI5OygLknvYu
         2mhAz00LFlsixNoWzo/eJO7tIvVnpbJialY95KR1mCp0rtf88jHuKcVRmsLngm5XSp7k
         cpfg==;
        dara=google.com
ARC-Authentication-Results: i=2; mx.google.com;
       dkim=pass header.i=@gmx.de header.s=s31663417 header.b=kFXFBocs;
       arc=pass (i=1 spf=pass spfdomain=gmx.de dkim=pass dkdomain=gmx.de dmarc=pass fromdomain=gmx.de);
       spf=pass (google.com: domain of linux-kernel+bounces-91259-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:4601:e00::3 as permitted sender) smtp.mailfrom="linux-kernel+bounces-91259-linux.lists.archive=gmail.com@vger.kernel.org";
       dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=gmx.de
Return-Path: <linux-kernel+bounces-91259-linux.lists.archive=gmail.com@vger.kernel.org>
Received: from am.mirrors.kernel.org (am.mirrors.kernel.org. [2604:1380:4601:e00::3])
        by mx.google.com with ESMTPS id j16-20020a170906475000b00a443a32c59bsi4242181ejs.615.2024.03.04.12.51.14
        for <linux.lists.archive@gmail.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 04 Mar 2024 12:51:14 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel+bounces-91259-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:4601:e00::3 as permitted sender) client-ip=2604:1380:4601:e00::3;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@gmx.de header.s=s31663417 header.b=kFXFBocs;
       arc=pass (i=1 spf=pass spfdomain=gmx.de dkim=pass dkdomain=gmx.de dmarc=pass fromdomain=gmx.de);
       spf=pass (google.com: domain of linux-kernel+bounces-91259-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:4601:e00::3 as permitted sender) smtp.mailfrom="linux-kernel+bounces-91259-linux.lists.archive=gmail.com@vger.kernel.org";
       dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=gmx.de
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by am.mirrors.kernel.org (Postfix) with ESMTPS id 06D211F22F0E
	for <linux.lists.archive@gmail.com>; Mon,  4 Mar 2024 20:51:14 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
	by smtp.subspace.kernel.org (Postfix) with ESMTP id A9FE65B1FE;
	Mon,  4 Mar 2024 20:50:30 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmx.de header.i=w_armin@gmx.de header.b="kFXFBocs"
Received: from mout.gmx.net (mout.gmx.net [212.227.15.15])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 9E799101C5;
	Mon,  4 Mar 2024 20:50:27 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=212.227.15.15
ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1709585429; cv=none; b=Cebi3AW/mfjNxAxA4tYjTuRZTrpOW0s/cVs+rDjfK5IOuXHSD9bejs3iS4BVExdqrRx8FDx316dlHebsD7ObdFOmZJGPWgrMb2fE9xBXRRm/FjPFDbUz3KnSigL9Afwi7NmwO/x1V5THGbNyjfPpMytQ9hMKy4H9GVNSkqJ0MbE=
ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1709585429; c=relaxed/simple;
	bh=/Yt3m3QNMxVunjWQ91MeMMIfkjCAz9FIsDyld1UwyI0=;
	h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:
	 MIME-Version; b=ANnQlPZkFkBXZ6qiCgyMURNnSkcBpravHgJpv9AzVExCWgV9mFhSQz7goWCcHbEjoEuZWrol8PZ6p2T/NkMKnFsXS/0dkjJbKPAa+B/YQnW+HV17ZqaYGlY2zlTkWPXdhdz20RPEM34dgKcX4pQ4p6taRjWoPRgxYjX9AZwsYSY=
ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=gmx.de; spf=pass smtp.mailfrom=gmx.de; dkim=pass (2048-bit key) header.d=gmx.de header.i=w_armin@gmx.de header.b=kFXFBocs; arc=none smtp.client-ip=212.227.15.15
Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=gmx.de
Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmx.de
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gmx.de; s=s31663417;
	t=1709585419; x=1710190219; i=w_armin@gmx.de;
	bh=/Yt3m3QNMxVunjWQ91MeMMIfkjCAz9FIsDyld1UwyI0=;
	h=X-UI-Sender-Class:From:To:Cc:Subject:Date:In-Reply-To:
	 References;
	b=kFXFBocsoRO0v5aFUhC3Gse9ovxb6aHDxThdhKFxQxJUcm8N6PUlupsJIlsgmlL4
	 bX7nadw8g6Wl4bIDSL+Z10b78/ywmmH5gtcwn+wZzQbcwsajB9l3uc5vnYlcilEqh
	 eoR91PtLBUwf0vuVTQ7DborXjXZiX2g8BeONMUzVyGkLB9G3BeJ6jLgWlVzScHAko
	 bDxngmhdTWsHvVrUghnQ26cxQgTLpR2kW49Ku5OREHtOYMxVNXqIfx31dRkfegg+1
	 jAwkLiC0/byJfocAYUfQsRXjdk0/WGlM3zbnV5mFpYw1wil2XKg8jBgXqMVYkbbJP
	 1d8k+L/49vIMDNEuvA==
X-UI-Sender-Class: 724b4f7f-cbec-4199-ad4e-598c01a50d3a
Received: from mx-amd-b650.users.agdsn.de ([141.30.226.129]) by mail.gmx.net
 (mrgmx005 [212.227.17.190]) with ESMTPSA (Nemesis) id
 1MacSe-1r9qW91wVe-00c5nK; Mon, 04 Mar 2024 21:50:19 +0100
From: Armin Wolf <W_Armin@gmx.de>
To: Shyam-sundar.S-k@amd.com
Cc: hdegoede@redhat.com,
	ilpo.jarvinen@linux.intel.com,
	platform-driver-x86@vger.kernel.org,
	linux-kernel@vger.kernel.org
Subject: [PATCH v3 4/4] platform/x86/amd/pmf: Fix possible out-of-bound memory accesses
Date: Mon,  4 Mar 2024 21:50:05 +0100
Message-Id: <20240304205005.10078-5-W_Armin@gmx.de>
X-Mailer: git-send-email 2.39.2
In-Reply-To: <20240304205005.10078-1-W_Armin@gmx.de>
References: <20240304205005.10078-1-W_Armin@gmx.de>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
X-Provags-ID: V03:K1:4unXtnfNipYqD0DGmmAFTw4uVIT2ZbY1gRHrlSqvzY0ZtJtCHc8
 29st9mq2zFZXJOxGqRKaTd/ymY8JWm7RFm4wO854nrbPOtHQY1c0p/LSqzJ+JkHHuO69gss
 NblXqwypb9r10joTSFTNwbGpYiNBGsfwB1D6xQZZbizrV/iRjoFeQCyVujVMsT4c47Z1ZJR
 zh0KH3FtOWldCucAqIDRA==
X-Spam-Flag: NO
UI-OutboundReport: notjunk:1;M01:P0:nE75bobHrC4=;Nobj9OwVmbhnUnr/40vGxXz1VOM
 D5HIS0HO6t8QIe21y5D0kNnKlUMn31fzP9vZ/9dXMrugwdFTBTKF+KWDn6SAo2qaiXog4p0ga
 W/8AkDzETwosbuW7gz/Pa375qdnyWW4tZt/PYFMYds/TN/oVgEpvNcvGtP0DHroVOajfDUuHg
 RiF+laPFkBxJzItarPKotGtKTejzwgVcQ78Cl0PXwYNUbbU+KcfQASjlSuf7TirfQMdLUiH/C
 qH0oNo1qmhkN3jDNnq23MdxO1N3U259/MNOQCPKhXhIe5bsZbukT85AshMblyOdTcF3c2ekBQ
 5vb6SO1/EnwzkIYb2Zdrtu+5w4UxO2zyJ8PxCAhTciIynH4V7AE/6IkfLos+aE7m4+EKlloQn
 70he4WpO40jkKSqQgiOH2vpJEVXrs1S39vJ5wdbxoCTfrrTeXoVC/GqUjE+3xnXmmqroJvNRe
 HDo3TngxR/NmaI3D0Vdr4zt3o8MQydkfGFVYf8mbrtZ2JJNVtFjAwd7X37Gd8kI9uYm3xPmT/
 s1K2plQ6VF3r6/0oE7brgPb8JGyR9WzrEdm3iq42+q6ZWZYgbfQpTfE8cCM7BHnOsaFCtBxFn
 gH+SaZuku7lrfJ6UizUgZdTxI/9XGf72/ZQMwUl0kRML3yp5rvg1IENuHb95Ge9CHFJig1Dzr
 7PINWIkpQVggje7YglZanEjmqwNXIhjAJBfiuH2iuMvXxBr/xj/LNsIvASn5FgS4itVdm/vpX
 iPCGsmUpzLAIMKSLtt5lnECtFxv4/PFyxOaM5iEQAuNr9S9soQHUnlqR50BG876taRIClcOuw
 4dAtSyz2lhr8ugFaq7ylYW/ut70s6g/4bqlcxgBiY4z3I=

The length of the policy buffer is not validated before accessing it,
which means that multiple out-of-bounds memory accesses can occur.

This is especially bad since userspace can load policy binaries over
debugfs.

Compile-tested only.

Fixes: 7c45534afa44 ("platform/x86/amd/pmf: Add support for PMF Policy Bin=
ary")
Signed-off-by: Armin Wolf <W_Armin@gmx.de>
=2D--
 drivers/platform/x86/amd/pmf/tee-if.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/drivers/platform/x86/amd/pmf/tee-if.c b/drivers/platform/x86/=
amd/pmf/tee-if.c
index 71ea7eefc211..75370431a82e 100644
=2D-- a/drivers/platform/x86/amd/pmf/tee-if.c
+++ b/drivers/platform/x86/amd/pmf/tee-if.c
@@ -249,11 +249,17 @@ static int amd_pmf_start_policy_engine(struct amd_pm=
f_dev *dev)
 	struct cookie_header *header;
 	int res;

+	if (dev->policy_sz < POLICY_COOKIE_OFFSET + sizeof(*header))
+		return -EINVAL;
+
 	header =3D (struct cookie_header *)(dev->policy_buf + POLICY_COOKIE_OFFS=
ET);

 	if (header->sign !=3D POLICY_SIGN_COOKIE || !header->length)
 		return -EINVAL;

+	if (dev->policy_sz < header->length + 512)
+		return -EINVAL;
+
 	/* Update the actual length */
 	dev->policy_sz =3D header->length + 512;
 	res =3D amd_pmf_invoke_cmd_init(dev);
=2D-
2.39.2