DebugFS: Check channel index before calling clone function
To avoid a potential out-of-bounds access, check whether
a device exists on a channel before calling the corresponding
clone function.
Signed-off-by: Zelalem <zelalem.aweke@arm.com>
Change-Id: Ia0dd66b331d3fa8a33109a02369e1bc9ae0fdd5b
diff --git a/lib/debugfs/dev.c b/lib/debugfs/dev.c
index 0361437..2fc1d40 100644
--- a/lib/debugfs/dev.c
+++ b/lib/debugfs/dev.c
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2019, Arm Limited. All rights reserved.
+ * Copyright (c) 2019-2021, Arm Limited. All rights reserved.
*
* SPDX-License-Identifier: BSD-3-Clause
*/
@@ -333,6 +333,10 @@
******************************************************************************/
chan_t *clone(chan_t *c, chan_t *nc)
{
+ if (c->index == NODEV) {
+ return NULL;
+ }
+
return devtab[c->index]->clone(c, nc);
}
diff --git a/lib/debugfs/devfip.c b/lib/debugfs/devfip.c
index d8b83b7..85e6403 100644
--- a/lib/debugfs/devfip.c
+++ b/lib/debugfs/devfip.c
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2019-2020, Arm Limited. All rights reserved.
+ * Copyright (c) 2019-2021, Arm Limited. All rights reserved.
*
* SPDX-License-Identifier: BSD-3-Clause
*/
@@ -129,7 +129,10 @@
panic();
}
- clone(archives[c->dev].c, &nc);
+ if (clone(archives[c->dev].c, &nc) == NULL) {
+ panic();
+ }
+
fip = &archives[nc.dev];
off = STOC_HEADER;
@@ -202,7 +205,9 @@
panic();
}
- clone(fip->c, &cs);
+ if (clone(fip->c, &cs) == NULL) {
+ panic();
+ }
size = fip->size[c->qid];
if (c->offset >= size) {