| From foo@baz Sun Jun 17 12:07:34 CEST 2018 |
| From: Etienne Carriere <etienne.carriere@linaro.org> |
| Date: Sun, 29 Apr 2018 14:22:29 +0200 |
| Subject: tee: check shm references are consistent in offset/size |
| |
| From: Etienne Carriere <etienne.carriere@linaro.org> |
| |
| [ Upstream commit ab9d3db5b320a052452b9cd035599ee3c84bbee9 ] |
| |
| This change prevents userland from referencing TEE shared memory |
| outside the area initially allocated by its owner. Prior this change an |
| application could not reference or access memory it did not own but |
| it could reference memory not explicitly allocated by owner but still |
| allocated to the owner due to the memory allocation granule. |
| |
| Reported-by: Alexandre Jutras <alexandre.jutras@nxp.com> |
| Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org> |
| Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org> |
| Signed-off-by: Sasha Levin <alexander.levin@microsoft.com> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| --- |
| drivers/tee/tee_core.c | 11 +++++++++++ |
| 1 file changed, 11 insertions(+) |
| |
| --- a/drivers/tee/tee_core.c |
| +++ b/drivers/tee/tee_core.c |
| @@ -238,6 +238,17 @@ static int params_from_user(struct tee_c |
| if (IS_ERR(shm)) |
| return PTR_ERR(shm); |
| |
| + /* |
| + * Ensure offset + size does not overflow offset |
| + * and does not overflow the size of the referred |
| + * shared memory object. |
| + */ |
| + if ((ip.a + ip.b) < ip.a || |
| + (ip.a + ip.b) > shm->size) { |
| + tee_shm_put(shm); |
| + return -EINVAL; |
| + } |
| + |
| params[n].u.memref.shm_offs = ip.a; |
| params[n].u.memref.size = ip.b; |
| params[n].u.memref.shm = shm; |