This change prevents userland from referencing TEE shared memory
outside the area initially allocated by its owner. Prior this change an
application could not reference or access memory it did not own but
it could reference memory not explicitly allocated by owner but still
allocated to the owner due to the memory allocation granule.
Reported-by: Alexandre Jutras <[email protected]>
Signed-off-by: Etienne Carriere <[email protected]>
---
drivers/tee/tee_core.c | 11 +++++++++++
1 file changed, 11 insertions(+)
diff --git a/drivers/tee/tee_core.c b/drivers/tee/tee_core.c
index 0124a91..dd46b75 100644
--- a/drivers/tee/tee_core.c
+++ b/drivers/tee/tee_core.c
@@ -238,6 +238,17 @@ static int params_from_user(struct tee_context *ctx, struct tee_param *params,
if (IS_ERR(shm))
return PTR_ERR(shm);
+ /*
+ * Ensure offset + size does not overflow offset
+ * and does not overflow the size of the referred
+ * shared memory object.
+ */
+ if ((ip.a + ip.b) < ip.a ||
+ (ip.a + ip.b) > shm->size) {
+ tee_shm_put(shm);
+ return -EINVAL;
+ }
+
params[n].u.memref.shm_offs = ip.a;
params[n].u.memref.size = ip.b;
params[n].u.memref.shm = shm;
--
1.9.1
On Sun, Apr 29, 2018 at 2:22 PM, Etienne Carriere
<[email protected]> wrote:
> This change prevents userland from referencing TEE shared memory
> outside the area initially allocated by its owner. Prior this change an
> application could not reference or access memory it did not own but
> it could reference memory not explicitly allocated by owner but still
> allocated to the owner due to the memory allocation granule.
>
> Reported-by: Alexandre Jutras <[email protected]>
> Signed-off-by: Etienne Carriere <[email protected]>
> ---
> drivers/tee/tee_core.c | 11 +++++++++++
> 1 file changed, 11 insertions(+)
>
> diff --git a/drivers/tee/tee_core.c b/drivers/tee/tee_core.c
> index 0124a91..dd46b75 100644
> --- a/drivers/tee/tee_core.c
> +++ b/drivers/tee/tee_core.c
> @@ -238,6 +238,17 @@ static int params_from_user(struct tee_context *ctx, struct tee_param *params,
> if (IS_ERR(shm))
> return PTR_ERR(shm);
>
> + /*
> + * Ensure offset + size does not overflow offset
> + * and does not overflow the size of the referred
> + * shared memory object.
> + */
> + if ((ip.a + ip.b) < ip.a ||
> + (ip.a + ip.b) > shm->size) {
> + tee_shm_put(shm);
> + return -EINVAL;
> + }
> +
> params[n].u.memref.shm_offs = ip.a;
> params[n].u.memref.size = ip.b;
> params[n].u.memref.shm = shm;
> --
> 1.9.1
>
Looks good to me, I'll pick this up.
Thanks,
Jens