diff options
| author | Jens Wiklander <jens.wiklander@linaro.org> | 2021-01-14 14:54:24 +0100 |
|---|---|---|
| committer | Jérôme Forissier <jerome@forissier.org> | 2021-01-15 09:13:54 +0100 |
| commit | d53897cd754a531d1ea2da25691117354e312664 (patch) | |
| tree | a688cda3f75e037e01b988d5decccad471f509d4 | |
| parent | 897357879e4a88587bb91d8f7e9dd66e2b3c4d6f (diff) | |
core: fix bad memset() in update_write_helper()
update_write_helper() is clearing uninitialized parts of blk_buf.
There's an error in the logic calculating how much should be cleared
resulting in a negative size being supplied to memset(). Fix this by
always clearing blk_buf before usage.
Fixes: cd799689cd3d ("core: rpmb: fix initialization of new rpmb data")
Acked-by: Rouven Czerwinski <r.czerwinski@pengutronix.de>
Tested-by: Jerome Forissier <jerome@forissier.org> (HiKey)
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
| -rw-r--r-- | core/tee/tee_rpmb_fs.c | 7 |
1 files changed, 1 insertions, 6 deletions
diff --git a/core/tee/tee_rpmb_fs.c b/core/tee/tee_rpmb_fs.c index 89caf851..1b28bb0e 100644 --- a/core/tee/tee_rpmb_fs.c +++ b/core/tee/tee_rpmb_fs.c @@ -2398,6 +2398,7 @@ static TEE_Result update_write_helper(struct rpmb_file_handle *fh, size_t rd_size = 0; blk_size = MIN(TMP_BLOCK_SIZE, new_size - blk_offset); + memset(blk_buf, 0, blk_size); /* Possibly read old RPMB data in temporary buffer */ if (blk_offset < pos && blk_offset < old_size) { @@ -2430,12 +2431,6 @@ static TEE_Result update_write_helper(struct rpmb_file_handle *fh, memcpy(copy_dst, rem_buf, copy_size); rem_buf += copy_size; rem_size -= copy_size; - - /* Extend from read data to copied data with zeros */ - memset(blk_buf + rd_size, 0, offset - rd_size); - } else { - /* Extend from read data to block end with zeros */ - memset(blk_buf + rd_size, 0, blk_size - rd_size); } /* Write temporary buffer to new RPMB destination */ |