Skip to content
Snippets Groups Projects
Commit fb9e85a6 authored by chengjia4574's avatar chengjia4574 Committed by Yuan Lin
Browse files

msm: arm: krait: Patch for krait array access out of bound


Current array-bound-check does not cover all cases.
An attacker can use this loophole to redirect $PC to attacker-controlled functions.

The fix is to move the existing array-bound-check to a later location to cover all cases.

Bug: 25773204
Change-Id: I06f1f34b97ceedcd919e6ad00b60871d4c88df82
Signed-off-by: default avatarYuan Lin <yualin@google.com>
parent 1235eacf
No related branches found
No related tags found
No related merge requests found
......@@ -219,9 +219,6 @@ static unsigned int get_krait_evtinfo(unsigned int krait_evt_type,
code = (krait_evt_type & 0x00FF0) >> 4;
group = krait_evt_type & 0x0000F;
if ((group > 3) || (reg > krait_max_l1_reg))
return -EINVAL;
if (prefix != KRAIT_EVT_PREFIX && prefix != KRAIT_VENUMEVT_PREFIX)
return -EINVAL;
......@@ -232,6 +229,9 @@ static unsigned int get_krait_evtinfo(unsigned int krait_evt_type,
reg += VENUM_BASE_OFFSET;
}
if ((group > 3) || (reg > krait_max_l1_reg))
return -EINVAL;
evtinfo->group_setval = 0x80000000 | (code << (group * 8));
evtinfo->groupcode = reg;
evtinfo->armv7_evt_type = evt_type_base[evt_index][reg] | group;
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment