core: fix potential crash when setting transfer entry size

Fix a potential crash when the rounded up end-of-entry exceeds the boundary of the old end-of-transfer-list when setting the size of a transfer entry. The crash happens when the specified entry is the last one in the transfer list and its rounded up end 'old_ev' exceeds the 'tl_old_ev' which is not rounded up, leading to a negative value with (tl_old_ev - old_ev). Logically, 'tl_old_ev > old_ev' is the only case that indicates there are subsequent entries to be moved. Signed-off-by: Raymond Mao <raymond.mao@linaro.org> Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
OP-TEE · Jan 27, 2025 · bf27365 · bf27365
1 parent ded2078
commit bf27365
Showing 1 changed file with 2 additions and 1 deletion.
diff --git a/core/kernel/transfer_list.c b/core/kernel/transfer_list.c
@@ -407,7 +407,8 @@ bool transfer_list_set_data_size(struct transfer_list_header *tl,
 		tl->size -= mov_dis;
 	}
 	/* Move all following entries to fit in the expanded or shrunk space */
-	memmove((void *)r_new_ev, (void *)old_ev, tl_old_ev - old_ev);
+	if (tl_old_ev > old_ev)
+		memmove((void *)r_new_ev, (void *)old_ev, tl_old_ev - old_ev);
 
 	/*
 	 * Fill the gap due to round up/down with a void entry if the size of