diff options
Diffstat (limited to 'recipes-security/optee-imx/optee-test/0001-regression-4011-correct-potential-overflow.patch')
-rw-r--r-- | recipes-security/optee-imx/optee-test/0001-regression-4011-correct-potential-overflow.patch | 72 |
1 files changed, 0 insertions, 72 deletions
diff --git a/recipes-security/optee-imx/optee-test/0001-regression-4011-correct-potential-overflow.patch b/recipes-security/optee-imx/optee-test/0001-regression-4011-correct-potential-overflow.patch deleted file mode 100644 index 0d853ed0..00000000 --- a/recipes-security/optee-imx/optee-test/0001-regression-4011-correct-potential-overflow.patch +++ /dev/null | |||
@@ -1,72 +0,0 @@ | |||
1 | Upstream-Status: Backport 3.4.0 | ||
2 | |||
3 | Signed-off-by: Peter Griffin <peter.griffin@linaro.org> | ||
4 | --- | ||
5 | From 0953bf0abb08fb98d24b7966001171a707fbb9b9 Mon Sep 17 00:00:00 2001 | ||
6 | From: Etienne Carriere <etienne.carriere@linaro.org> | ||
7 | Date: Fri, 21 Dec 2018 15:36:25 +0100 | ||
8 | Subject: [PATCH] regression 4011: correct potential overflow | ||
9 | MIME-Version: 1.0 | ||
10 | Content-Type: text/plain; charset=UTF-8 | ||
11 | Content-Transfer-Encoding: 8bit | ||
12 | |||
13 | Fix issues reported by GCC 8.2.0. | ||
14 | |||
15 | build/optee_test/host/xtest/regression_4000.c: In function ‘xtest_tee_test_4011’: | ||
16 | build/optee_test/host/xtest/regression_4000.c:5029:3: error: ‘memmove’ pointer overflow between offset [0, 8] and size [4294967295, 2147483647] accessing array ‘tmp’ with type ‘uint8_t[1024]’ {aka ‘unsigned char[1024]’} [-Werror=array-bounds] | ||
17 | memmove(tmp + n + i, tmp + m, tmp_size - m); | ||
18 | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | ||
19 | build/optee_test/host/xtest/regression_4000.c:4927:10: note: array ‘tmp’ declared here | ||
20 | uint8_t tmp[1024]; | ||
21 | ^~~ | ||
22 | build/optee_test/host/xtest/regression_4000.c:5029:3: error: ‘memmove’ specified size 4294967295 exceeds maximum object size 2147483647 [-Werror=stringop-overflow=] | ||
23 | memmove(tmp + n + i, tmp + m, tmp_size - m); | ||
24 | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | ||
25 | cc1: all warnings being treated as errors | ||
26 | |||
27 | Reported-by: Simon Hughes <simon.hughes@arm.com> | ||
28 | Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org> | ||
29 | Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org> | ||
30 | --- | ||
31 | host/xtest/regression_4000.c | 16 +++++++++++++--- | ||
32 | 1 file changed, 13 insertions(+), 3 deletions(-) | ||
33 | |||
34 | diff --git a/host/xtest/regression_4000.c b/host/xtest/regression_4000.c | ||
35 | index 766aad2..205a226 100644 | ||
36 | --- a/host/xtest/regression_4000.c | ||
37 | +++ b/host/xtest/regression_4000.c | ||
38 | @@ -5018,18 +5018,28 @@ static void xtest_tee_test_4011(ADBG_Case_t *c) | ||
39 | out, out_size, tmp, &tmp_size))) | ||
40 | goto out; | ||
41 | |||
42 | + if (!ADBG_EXPECT_COMPARE_UNSIGNED(c, tmp_size, <=, sizeof(tmp))) | ||
43 | + goto out; | ||
44 | + | ||
45 | /* 4.1 */ | ||
46 | - for (n = 0; n < tmp_size; n++) | ||
47 | + for (n = 0; n < tmp_size - i; n++) | ||
48 | if (tmp[n] == 0xff) | ||
49 | break; | ||
50 | + | ||
51 | + /* Shall find at least a padding start before buffer end */ | ||
52 | + if (!ADBG_EXPECT_COMPARE_UNSIGNED(c, n, <, tmp_size - i - 1)) | ||
53 | + goto out; | ||
54 | + | ||
55 | for (m = n + 1; m < tmp_size; m++) | ||
56 | if (tmp[m] != 0xff) | ||
57 | break; | ||
58 | + | ||
59 | /* 4.2 */ | ||
60 | memmove(tmp + n + i, tmp + m, tmp_size - m); | ||
61 | + | ||
62 | /* 4.3 */ | ||
63 | - for (n = n + tmp_size - m + i; n < tmp_size; n++) | ||
64 | - tmp[n] = 0; | ||
65 | + n = n + i + tmp_size - m; | ||
66 | + memset(tmp + n, 0, tmp_size - n); | ||
67 | |||
68 | /* 5 */ | ||
69 | out_size = sizeof(out); | ||
70 | -- | ||
71 | 2.7.4 | ||
72 | |||