diff options
author | Zelalem <zelalem.aweke@arm.com> | 2020-12-18 11:02:25 -0600 |
---|---|---|
committer | Zelalem Aweke <zelalem.aweke@arm.com> | 2021-01-21 15:25:23 +0000 |
commit | b226c74737090f5fca17656f43743b2c6ab766ca (patch) | |
tree | 280c376496c24aeb853fd1c603b21574d4686afe | |
parent | d194afa71b4f946603ec86fab2309533a76cbc95 (diff) |
DebugFS: Check channel index before calling clone function
To avoid a potential out-of-bounds access, check whether
a device exists on a channel before calling the corresponding
clone function.
Signed-off-by: Zelalem <zelalem.aweke@arm.com>
Change-Id: Ia0dd66b331d3fa8a33109a02369e1bc9ae0fdd5b
-rw-r--r-- | lib/debugfs/dev.c | 6 | ||||
-rw-r--r-- | lib/debugfs/devfip.c | 11 |
2 files changed, 13 insertions, 4 deletions
diff --git a/lib/debugfs/dev.c b/lib/debugfs/dev.c index 0361437b8..2fc1d4062 100644 --- a/lib/debugfs/dev.c +++ b/lib/debugfs/dev.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 2019, Arm Limited. All rights reserved. + * Copyright (c) 2019-2021, Arm Limited. All rights reserved. * * SPDX-License-Identifier: BSD-3-Clause */ @@ -333,6 +333,10 @@ noent: ******************************************************************************/ chan_t *clone(chan_t *c, chan_t *nc) { + if (c->index == NODEV) { + return NULL; + } + return devtab[c->index]->clone(c, nc); } diff --git a/lib/debugfs/devfip.c b/lib/debugfs/devfip.c index d8b83b7a4..85e6403c7 100644 --- a/lib/debugfs/devfip.c +++ b/lib/debugfs/devfip.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 2019-2020, Arm Limited. All rights reserved. + * Copyright (c) 2019-2021, Arm Limited. All rights reserved. * * SPDX-License-Identifier: BSD-3-Clause */ @@ -129,7 +129,10 @@ static int fipgen(chan_t *c, const dirtab_t *tab, int ntab, int n, dir_t *dir) panic(); } - clone(archives[c->dev].c, &nc); + if (clone(archives[c->dev].c, &nc) == NULL) { + panic(); + } + fip = &archives[nc.dev]; off = STOC_HEADER; @@ -202,7 +205,9 @@ static int fipread(chan_t *c, void *buf, int n) panic(); } - clone(fip->c, &cs); + if (clone(fip->c, &cs) == NULL) { + panic(); + } size = fip->size[c->qid]; if (c->offset >= size) { |