48 lines
1.8 KiB
Diff
48 lines
1.8 KiB
Diff
From 9778b270e29bac3e16f57f9557098c45858c05de Mon Sep 17 00:00:00 2001
|
|
From: Tobias Rist <tobias.rist@joynext.com>
|
|
Date: Tue, 7 Mar 2023 09:40:37 +0100
|
|
Subject: [PATCH] fix(rcar3-drivers): check for length underflow
|
|
|
|
Origin: https://github.com/ARM-software/arm-trusted-firmware/commit/9778b270e29bac3e16f57f9557098c45858c05de
|
|
https://github.com/renesas-rcar/arm-trusted-firmware/commit/b596f580637bae919b0ac3a5471422a1f756db3b
|
|
|
|
Make sure the length of the payload is not longer than the
|
|
DRAM size in check_load_area(), and make sure the payload
|
|
end does not cross protected area start.
|
|
|
|
Signed-off-by: Tobias Rist <tobias.rist@joynext.com>
|
|
Signed-off-by: Yoshifumi Hosoya <yoshifumi.hosoya.wj@renesas.com>
|
|
Change-Id: I4d687be577a138352be9f92e5b0b6f596ffffba9
|
|
---
|
|
drivers/renesas/common/io/io_rcar.c | 7 ++++---
|
|
1 file changed, 4 insertions(+), 3 deletions(-)
|
|
|
|
diff --git a/drivers/renesas/common/io/io_rcar.c b/drivers/renesas/common/io/io_rcar.c
|
|
index c169923..603fefd 100644
|
|
--- a/drivers/renesas/common/io/io_rcar.c
|
|
+++ b/drivers/renesas/common/io/io_rcar.c
|
|
@@ -288,7 +288,7 @@ static int32_t check_load_area(uintptr_t dst, uintptr_t len)
|
|
|
|
prot_end = prot_start + DRAM_PROTECTED_SIZE;
|
|
|
|
- if (dst < dram_start || dst > dram_end - len) {
|
|
+ if (dst < dram_start || len > dram_end || dst > dram_end - len) {
|
|
ERROR("BL2: dst address is on the protected area.\n");
|
|
result = IO_FAIL;
|
|
goto done;
|
|
@@ -301,8 +301,9 @@ static int32_t check_load_area(uintptr_t dst, uintptr_t len)
|
|
goto done;
|
|
}
|
|
|
|
- if (dst < prot_start && dst > prot_start - len) {
|
|
- ERROR("BL2: loaded data is on the protected area.\n");
|
|
+ if (len > prot_start || (dst < prot_start && dst > prot_start - len)) {
|
|
+ ERROR("BL2: %s[%d] loaded data is on the protected area.\n",
|
|
+ __func__, __LINE__);
|
|
result = IO_FAIL;
|
|
goto done;
|
|
}
|
|
--
|
|
2.33.0
|
|
|