commit 672b39286b2ab228a10a2c6bd5089187f4057439
parent 046ba6e114b69e411dc707b443dd45a1bb6c8b2b
Author: Roberto Vargas <roberto.vargas@arm.com>
Date: Fri, 2 Nov 2018 08:09:08 +0000
Add additional check in rmc()
The dispatcher is a very vulnerable part of the code because
its input values are controller by lower exception level, so
we have to be very defensive about how it works. We shouldn't
trust other parts of the code in rmc().
Diffstat:
1 file changed, 7 insertions(+), 2 deletions(-)
diff --git a/src/rmc.c b/src/rmc.c
@@ -144,15 +144,20 @@ rmc(Rmucmd *cmd)
const struct rowidx *idx;
void (*fp)(Rmucmd *cmd);
void *bp;
+ unsigned off;
if (cmd->class > 255 || cmd->func > 255)
- panic("rmc");
+ panic("rmc1");
idx = &rowidx[cmd->class];
if (cmd->func >= idx->cnt)
badcmd(-1); /* TODO: put the correct code */
- bp = reloc(handler[idx->off + cmd->func]);
+ off = idx->off + cmd->func;
+ if (off > 255)
+ panic("rmc2");
+
+ bp = reloc(handler[off]);
fp = (void (*) (Rmucmd *)) bp;
(*fp)(cmd);
