From 3c3380d56270593123097d6ad08da505f315e504 Mon Sep 17 00:00:00 2001
From: qianfei11 <[email protected]>
Date: Thu, 5 Mar 2026 19:53:51 +0800
Subject: [PATCH] =?UTF-8?q?fix(entry=5Fstd):=20=E6=B7=BB=E5=8A=A0=20CVE-20?=
 =?UTF-8?q?22-46152=20OOB=20=E8=A7=A6=E5=8F=91=E6=97=B6=E7=9A=84=E6=98=BE?=
 =?UTF-8?q?=E5=BC=8F=20EMSG=20=E6=97=A5=E5=BF=97?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

在 entry_invoke_command() 的 cleanup_shm_refs 调用前增加检测：
当 num_params > TEE_NUM_PARAMS 时，通过 EMSG() 在安全世界 UART
打印明确的越界警告，使漏洞触发在 Secure World 日志中可见。

Co-authored-by: Copilot <[email protected]>
---
 core/tee/entry_std.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/core/tee/entry_std.c b/core/tee/entry_std.c
index 0ec47e4..77fa93b 100644
--- a/core/tee/entry_std.c
+++ b/core/tee/entry_std.c
@@ -22,6 +22,7 @@
 #include <tee/entry_std.h>
 #include <tee/tee_cryp_utl.h>
 #include <tee/uuid.h>
+#include <trace.h>
 #include <util.h>
 
 #define SHM_CACHE_ATTRS	\
@@ -447,6 +448,9 @@ static void entry_invoke_command(struct optee_msg_arg *arg, uint32_t num_params)
 	copy_out_param(&param, num_params, arg->params, saved_attr);
 
 out:
+	if (num_params > TEE_NUM_PARAMS)
+		EMSG("CVE-2022-46152: OOB! cleanup_shm_refs num_params=%u > TEE_NUM_PARAMS=%u",
+		     num_params, (uint32_t)TEE_NUM_PARAMS);
 	cleanup_shm_refs(saved_attr, &param, num_params);
 
 	arg->ret = res;
-- 
2.43.0