DebugFS: Check channel index before calling clone function

To avoid a potential out-of-bounds access, check whether
a device exists on a channel before calling the corresponding
clone function.

Signed-off-by: Zelalem <zelalem.aweke@arm.com>
Change-Id: Ia0dd66b331d3fa8a33109a02369e1bc9ae0fdd5b

2 files changed, 13 insertions, 4 deletions

diff --git a/lib/debugfs/dev.c b/lib/debugfs/dev.c
index 0361437b8..2fc1d4062 100644
--- a/lib/debugfs/dev.c
+++ b/lib/debugfs/dev.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2019, Arm Limited. All rights reserved.
+ * Copyright (c) 2019-2021, Arm Limited. All rights reserved.
  *
  * SPDX-License-Identifier: BSD-3-Clause
  */
@@ -333,6 +333,10 @@ noent:
  ******************************************************************************/
 chan_t *clone(chan_t *c, chan_t *nc)
 {
+	if (c->index == NODEV) {
+		return NULL;
+	}
+
 	return devtab[c->index]->clone(c, nc);
 }
 
diff --git a/lib/debugfs/devfip.c b/lib/debugfs/devfip.c
index d8b83b7a4..85e6403c7 100644
--- a/lib/debugfs/devfip.c
+++ b/lib/debugfs/devfip.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2019-2020, Arm Limited. All rights reserved.
+ * Copyright (c) 2019-2021, Arm Limited. All rights reserved.
  *
  * SPDX-License-Identifier: BSD-3-Clause
  */
@@ -129,7 +129,10 @@ static int fipgen(chan_t *c, const dirtab_t *tab, int ntab, int n, dir_t *dir)
 		panic();
 	}
 
-	clone(archives[c->dev].c, &nc);
+	if (clone(archives[c->dev].c, &nc) == NULL) {
+		panic();
+	}
+
 	fip = &archives[nc.dev];
 
 	off = STOC_HEADER;
@@ -202,7 +205,9 @@ static int fipread(chan_t *c, void *buf, int n)
 		panic();
 	}
 
-	clone(fip->c, &cs);
+	if (clone(fip->c, &cs) == NULL) {
+		panic();
+	}
 
 	size = fip->size[c->qid];
 	if (c->offset >= size) {