From d53897cd754a531d1ea2da25691117354e312664 Mon Sep 17 00:00:00 2001 From: Jens Wiklander Date: Thu, 14 Jan 2021 14:54:24 +0100 Subject: core: fix bad memset() in update_write_helper() update_write_helper() is clearing uninitialized parts of blk_buf. There's an error in the logic calculating how much should be cleared resulting in a negative size being supplied to memset(). Fix this by always clearing blk_buf before usage. Fixes: cd799689cd3d ("core: rpmb: fix initialization of new rpmb data") Acked-by: Rouven Czerwinski Tested-by: Jerome Forissier (HiKey) Acked-by: Etienne Carriere Signed-off-by: Jens Wiklander --- core/tee/tee_rpmb_fs.c | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) (limited to 'core') diff --git a/core/tee/tee_rpmb_fs.c b/core/tee/tee_rpmb_fs.c index 89caf851..1b28bb0e 100644 --- a/core/tee/tee_rpmb_fs.c +++ b/core/tee/tee_rpmb_fs.c @@ -2398,6 +2398,7 @@ static TEE_Result update_write_helper(struct rpmb_file_handle *fh, size_t rd_size = 0; blk_size = MIN(TMP_BLOCK_SIZE, new_size - blk_offset); + memset(blk_buf, 0, blk_size); /* Possibly read old RPMB data in temporary buffer */ if (blk_offset < pos && blk_offset < old_size) { @@ -2430,12 +2431,6 @@ static TEE_Result update_write_helper(struct rpmb_file_handle *fh, memcpy(copy_dst, rem_buf, copy_size); rem_buf += copy_size; rem_size -= copy_size; - - /* Extend from read data to copied data with zeros */ - memset(blk_buf + rd_size, 0, offset - rd_size); - } else { - /* Extend from read data to block end with zeros */ - memset(blk_buf + rd_size, 0, blk_size - rd_size); } /* Write temporary buffer to new RPMB destination */ -- cgit v1.2.3