Received: by 2002:ab2:26cd:0:b0:1ed:3240:60d6 with SMTP id c13csp501819lqf; Mon, 4 Mar 2024 12:51:14 -0800 (PST) X-Forwarded-Encrypted: i=3; AJvYcCW1ESELk2Yb5CWgug/zvfTfESvqc7JhjLshl6QhrqTtOyRmcQa9g+FtcfBnDyEOKcF415QDTOXHmGMtfQ2KMZZYbW23kjmSP/VnbBxVYw== X-Google-Smtp-Source: AGHT+IENM7Erzs+cdHuPf0vC8cK+knJF6i3ToAVTdkcnvfmKyPd+RoWBsf9itKsUeDXNV0bTI5ag X-Received: by 2002:a17:906:d045:b0:a44:5589:c098 with SMTP id bo5-20020a170906d04500b00a445589c098mr7190993ejb.7.1709585474272; Mon, 04 Mar 2024 12:51:14 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1709585474; cv=pass; d=google.com; s=arc-20160816; b=HPB/wGeDkvQsGcwQx9Hz4bz0S570aTusRiy5HpWceIFqAKHXDUVLMXUsrZZawYv7e9 BB/rXkWfz+BFmDkB9bFJE+VSaroj+xVggCPu60eyNo8UdweX7q1ZoGU7W/koPuWcvLnV 66l7x2ICsro1KoSAl1J8o79zdB5CGJl1ocFEGaUBu54OTV9nFfte7xWEwSjhvjAJFAVP L7hY/d3ETpNvEH7teBnkJOYHxxl9JKYoWm/BO0Oe4dl4TmN1KIuUN7q0wMgG4cS8QQH/ 3JN7uEsrkfq+pfzgdXNjnKBDpIiI/Xg6j6Ij8Xuu+gYW5x5CHItQypReR1bEmSyHyDfw nckw== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=ui-outboundreport:content-transfer-encoding:mime-version :list-unsubscribe:list-subscribe:list-id:precedence:references :in-reply-to:message-id:date:subject:cc:to:from:dkim-signature; bh=FVIante6SnTMdEMo20pIU2G1k8gWzeZdkK4s/s9HLY0=; fh=Iw0cdpf9yN87ufu137c7ThcNR/cLOoX+JIMwqQQfbho=; b=DehCCuMsoEKet3ESUz9SoHKI6dBXOYruAg8Q29sYEQN7aF/Mexy37LmKIp7kHvUuss oHR6UWVSVtKadd4VDCK7HZu4SKFXA0sf4Dv/QnWvW2BR/I+TOJ67FPPD48Z6SZ0H4f9w YM81zxzKhoVYsmUK+Iyw1W3WS6n7u3EfTLP45QAWwGkE2Om3vEoaUN+gbUz18P0chV4q iy8wuZ4gAFrvAzZh4P62/lYo1x8F3yGTeHAez4H5KdbcKLg22cizHHRcdI5OygLknvYu 2mhAz00LFlsixNoWzo/eJO7tIvVnpbJialY95KR1mCp0rtf88jHuKcVRmsLngm5XSp7k cpfg==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@gmx.de header.s=s31663417 header.b=kFXFBocs; arc=pass (i=1 spf=pass spfdomain=gmx.de dkim=pass dkdomain=gmx.de dmarc=pass fromdomain=gmx.de); spf=pass (google.com: domain of linux-kernel+bounces-91259-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:4601:e00::3 as permitted sender) smtp.mailfrom="linux-kernel+bounces-91259-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=gmx.de Return-Path: Received: from am.mirrors.kernel.org (am.mirrors.kernel.org. [2604:1380:4601:e00::3]) by mx.google.com with ESMTPS id j16-20020a170906475000b00a443a32c59bsi4242181ejs.615.2024.03.04.12.51.14 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 04 Mar 2024 12:51:14 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel+bounces-91259-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:4601:e00::3 as permitted sender) client-ip=2604:1380:4601:e00::3; Authentication-Results: mx.google.com; dkim=pass header.i=@gmx.de header.s=s31663417 header.b=kFXFBocs; arc=pass (i=1 spf=pass spfdomain=gmx.de dkim=pass dkdomain=gmx.de dmarc=pass fromdomain=gmx.de); spf=pass (google.com: domain of linux-kernel+bounces-91259-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:4601:e00::3 as permitted sender) smtp.mailfrom="linux-kernel+bounces-91259-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=gmx.de Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by am.mirrors.kernel.org (Postfix) with ESMTPS id 06D211F22F0E for ; Mon, 4 Mar 2024 20:51:14 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id A9FE65B1FE; Mon, 4 Mar 2024 20:50:30 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmx.de header.i=w_armin@gmx.de header.b="kFXFBocs" Received: from mout.gmx.net (mout.gmx.net [212.227.15.15]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 9E799101C5; Mon, 4 Mar 2024 20:50:27 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=212.227.15.15 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1709585429; cv=none; b=Cebi3AW/mfjNxAxA4tYjTuRZTrpOW0s/cVs+rDjfK5IOuXHSD9bejs3iS4BVExdqrRx8FDx316dlHebsD7ObdFOmZJGPWgrMb2fE9xBXRRm/FjPFDbUz3KnSigL9Afwi7NmwO/x1V5THGbNyjfPpMytQ9hMKy4H9GVNSkqJ0MbE= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1709585429; c=relaxed/simple; bh=/Yt3m3QNMxVunjWQ91MeMMIfkjCAz9FIsDyld1UwyI0=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=ANnQlPZkFkBXZ6qiCgyMURNnSkcBpravHgJpv9AzVExCWgV9mFhSQz7goWCcHbEjoEuZWrol8PZ6p2T/NkMKnFsXS/0dkjJbKPAa+B/YQnW+HV17ZqaYGlY2zlTkWPXdhdz20RPEM34dgKcX4pQ4p6taRjWoPRgxYjX9AZwsYSY= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=gmx.de; spf=pass smtp.mailfrom=gmx.de; dkim=pass (2048-bit key) header.d=gmx.de header.i=w_armin@gmx.de header.b=kFXFBocs; arc=none smtp.client-ip=212.227.15.15 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=gmx.de Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmx.de DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gmx.de; s=s31663417; t=1709585419; x=1710190219; i=w_armin@gmx.de; bh=/Yt3m3QNMxVunjWQ91MeMMIfkjCAz9FIsDyld1UwyI0=; h=X-UI-Sender-Class:From:To:Cc:Subject:Date:In-Reply-To: References; b=kFXFBocsoRO0v5aFUhC3Gse9ovxb6aHDxThdhKFxQxJUcm8N6PUlupsJIlsgmlL4 bX7nadw8g6Wl4bIDSL+Z10b78/ywmmH5gtcwn+wZzQbcwsajB9l3uc5vnYlcilEqh eoR91PtLBUwf0vuVTQ7DborXjXZiX2g8BeONMUzVyGkLB9G3BeJ6jLgWlVzScHAko bDxngmhdTWsHvVrUghnQ26cxQgTLpR2kW49Ku5OREHtOYMxVNXqIfx31dRkfegg+1 jAwkLiC0/byJfocAYUfQsRXjdk0/WGlM3zbnV5mFpYw1wil2XKg8jBgXqMVYkbbJP 1d8k+L/49vIMDNEuvA== X-UI-Sender-Class: 724b4f7f-cbec-4199-ad4e-598c01a50d3a Received: from mx-amd-b650.users.agdsn.de ([141.30.226.129]) by mail.gmx.net (mrgmx005 [212.227.17.190]) with ESMTPSA (Nemesis) id 1MacSe-1r9qW91wVe-00c5nK; Mon, 04 Mar 2024 21:50:19 +0100 From: Armin Wolf To: Shyam-sundar.S-k@amd.com Cc: hdegoede@redhat.com, ilpo.jarvinen@linux.intel.com, platform-driver-x86@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH v3 4/4] platform/x86/amd/pmf: Fix possible out-of-bound memory accesses Date: Mon, 4 Mar 2024 21:50:05 +0100 Message-Id: <20240304205005.10078-5-W_Armin@gmx.de> X-Mailer: git-send-email 2.39.2 In-Reply-To: <20240304205005.10078-1-W_Armin@gmx.de> References: <20240304205005.10078-1-W_Armin@gmx.de> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Provags-ID: V03:K1:4unXtnfNipYqD0DGmmAFTw4uVIT2ZbY1gRHrlSqvzY0ZtJtCHc8 29st9mq2zFZXJOxGqRKaTd/ymY8JWm7RFm4wO854nrbPOtHQY1c0p/LSqzJ+JkHHuO69gss NblXqwypb9r10joTSFTNwbGpYiNBGsfwB1D6xQZZbizrV/iRjoFeQCyVujVMsT4c47Z1ZJR zh0KH3FtOWldCucAqIDRA== X-Spam-Flag: NO UI-OutboundReport: notjunk:1;M01:P0:nE75bobHrC4=;Nobj9OwVmbhnUnr/40vGxXz1VOM D5HIS0HO6t8QIe21y5D0kNnKlUMn31fzP9vZ/9dXMrugwdFTBTKF+KWDn6SAo2qaiXog4p0ga W/8AkDzETwosbuW7gz/Pa375qdnyWW4tZt/PYFMYds/TN/oVgEpvNcvGtP0DHroVOajfDUuHg RiF+laPFkBxJzItarPKotGtKTejzwgVcQ78Cl0PXwYNUbbU+KcfQASjlSuf7TirfQMdLUiH/C qH0oNo1qmhkN3jDNnq23MdxO1N3U259/MNOQCPKhXhIe5bsZbukT85AshMblyOdTcF3c2ekBQ 5vb6SO1/EnwzkIYb2Zdrtu+5w4UxO2zyJ8PxCAhTciIynH4V7AE/6IkfLos+aE7m4+EKlloQn 70he4WpO40jkKSqQgiOH2vpJEVXrs1S39vJ5wdbxoCTfrrTeXoVC/GqUjE+3xnXmmqroJvNRe HDo3TngxR/NmaI3D0Vdr4zt3o8MQydkfGFVYf8mbrtZ2JJNVtFjAwd7X37Gd8kI9uYm3xPmT/ s1K2plQ6VF3r6/0oE7brgPb8JGyR9WzrEdm3iq42+q6ZWZYgbfQpTfE8cCM7BHnOsaFCtBxFn gH+SaZuku7lrfJ6UizUgZdTxI/9XGf72/ZQMwUl0kRML3yp5rvg1IENuHb95Ge9CHFJig1Dzr 7PINWIkpQVggje7YglZanEjmqwNXIhjAJBfiuH2iuMvXxBr/xj/LNsIvASn5FgS4itVdm/vpX iPCGsmUpzLAIMKSLtt5lnECtFxv4/PFyxOaM5iEQAuNr9S9soQHUnlqR50BG876taRIClcOuw 4dAtSyz2lhr8ugFaq7ylYW/ut70s6g/4bqlcxgBiY4z3I= The length of the policy buffer is not validated before accessing it, which means that multiple out-of-bounds memory accesses can occur. This is especially bad since userspace can load policy binaries over debugfs. Compile-tested only. Fixes: 7c45534afa44 ("platform/x86/amd/pmf: Add support for PMF Policy Bin= ary") Signed-off-by: Armin Wolf =2D-- drivers/platform/x86/amd/pmf/tee-if.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/drivers/platform/x86/amd/pmf/tee-if.c b/drivers/platform/x86/= amd/pmf/tee-if.c index 71ea7eefc211..75370431a82e 100644 =2D-- a/drivers/platform/x86/amd/pmf/tee-if.c +++ b/drivers/platform/x86/amd/pmf/tee-if.c @@ -249,11 +249,17 @@ static int amd_pmf_start_policy_engine(struct amd_pm= f_dev *dev) struct cookie_header *header; int res; + if (dev->policy_sz < POLICY_COOKIE_OFFSET + sizeof(*header)) + return -EINVAL; + header =3D (struct cookie_header *)(dev->policy_buf + POLICY_COOKIE_OFFS= ET); if (header->sign !=3D POLICY_SIGN_COOKIE || !header->length) return -EINVAL; + if (dev->policy_sz < header->length + 512) + return -EINVAL; + /* Update the actual length */ dev->policy_sz =3D header->length + 512; res =3D amd_pmf_invoke_cmd_init(dev); =2D- 2.39.2