Received: by 2002:a05:6a10:f347:0:0:0:0 with SMTP id d7csp854040pxu;
        Mon, 23 Nov 2020 05:58:56 -0800 (PST)
X-Google-Smtp-Source: ABdhPJzG2WiAi47D9Y5YVRnIn/H3EUREKGB41CYfMGMV9Q3z166pAtaLI2NeJzE7mlX9Wq4MKwWt
X-Received: by 2002:aa7:c61a:: with SMTP id h26mr17269434edq.327.1606139936091;
        Mon, 23 Nov 2020 05:58:56 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1606139936; cv=none;
        d=google.com; s=arc-20160816;
        b=hkaMQO2s7WoaqA3FGoZWpCGvvfFcmf/aQbnpJa5KIp8oYq+uPox3OYREL6AaZ1K1Mo
         4PHhMrlZAHnXQzbmKkOBQm9cg9afN2OxNS8xFHhGawg3aUyluMpSX20q0tNmH1rgTBaD
         mmP3OBQ1x3TrFfoQjU9iyLIetYKFBu+M2mkbCb4IZf7sGZP2P3J4v+N/ejGKzFPxvK4X
         zlz2p5F8kAKuAC3IhmUtyeD5wqJtxdGbXE9TBQevw6aBBFrbxZD8Upq+LAg4r7fWSxRN
         t/991ZrRvR2w85Fr+s5QxKM33gGQGG2xQArWFC/DWa3EHaQvekMj833ky090JOmfoLhV
         BOlw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to
         :references:mime-version:dkim-signature;
        bh=GKD+c+BERbhK3PerK4pqbY+tD6ko39fVI+C/aQeshLg=;
        b=sWc8eJqi21rg/LX/IIPSjcWty29syeccWb2AwijGuPouxKGNZRVL86v3FefHd5Y2Yn
         k+6puHL0lvbfSovO8eJ16MwcjVzmDjirfkoYfEKCXS6P/kEAiHN76LtKCQX/rG6Mf5L8
         6kl3UiAKkZ1QxJyZZcJYcCg3XA1oed/HfSHN/w8d9IPz+7Kb4RieapVjIzWME3QlLwzY
         uyxJbjUyZiHPSqTj4NHVj/XZzPnX2svL+AkJk0xIxRBo3aTdPc1FQzD8I9frvyHd47k7
         V/o/T+Jv0QQOhy43BaO53hCzm3Axd/Nd1FDZ8TPFPG2tpknAjvWitnptYcGXgXd5Jp3m
         Ykmw==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@linaro.org header.s=google header.b=D4uTZ+cJ;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id bt1si3789362edb.267.2020.11.23.05.58.33;
        Mon, 23 Nov 2020 05:58:56 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@linaro.org header.s=google header.b=D4uTZ+cJ;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S2388755AbgKWNxJ (ORCPT <rfc822;thunderbird.krnldev@gmail.com>
        + 99 others); Mon, 23 Nov 2020 08:53:09 -0500
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:40402 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S2388764AbgKWNxH (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 23 Nov 2020 08:53:07 -0500
Received: from mail-oi1-x241.google.com (mail-oi1-x241.google.com [IPv6:2607:f8b0:4864:20::241])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id CF5D4C0613CF
        for <linux-kernel@vger.kernel.org>; Mon, 23 Nov 2020 05:53:06 -0800 (PST)
Received: by mail-oi1-x241.google.com with SMTP id d9so19732291oib.3
        for <linux-kernel@vger.kernel.org>; Mon, 23 Nov 2020 05:53:06 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=linaro.org; s=google;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc;
        bh=GKD+c+BERbhK3PerK4pqbY+tD6ko39fVI+C/aQeshLg=;
        b=D4uTZ+cJb47lcFigifoVMq9XCUYU9dMufeCQB5F8TcweyVHwuU+CNxGmBBvXUH3n4e
         jGSWNnt0yiaNhdJjOQJxAlQAxGdr63Cgd7nBOS9KAwI7ChZ62FqTLm3f+OxmbnhEAGeX
         DwyNalrVuhoAe5O2MRFdH4TcaPPA8Jsi9cUQud2BxA9jwxJqxcIQPzbnoDcATQT2lHOG
         9zf6BAM7bidzIBgDXdGsefWTuSSjTqW0qKu1OxUeAgfbHbf7IIuETlBkJWSGVdwTn6u+
         js3jHc3vbrDserZca5T6+iIBDAUTrhDZAbNeHzlAnlDdNnW0g9Igru6a3GBdz/EE1p5D
         Fi8w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc;
        bh=GKD+c+BERbhK3PerK4pqbY+tD6ko39fVI+C/aQeshLg=;
        b=oPqM+IgSAM5By+z5I54ATCcaL7QqlRAWQx5aaS+2EA5sXWFBwZE/jOYm7Ovlz7MIph
         M2Y3Om9D/+aFjoptOpnvfTFWQCqhenAjRP+wvkro6hswXIalIAPGz4gePXROF5pj/8Ic
         0HiB2ND8qTU4Z9cpRlJD5mIuScChxhuD+BbeQ+frJL15fDvw6oF++TBtxwQUKDGQNJJb
         PBp7HKq51NCubWuEmSAgNMmVsBAb0FJHUm+xfPWmU8YjQ6svspH6fXk3ILR6zL0Y5lVk
         2neRmt01XGbaOX6UikBUIs6cION/fhlCoy7BxaLzpI/KJbYRuStLo8tlUnLh0fDmXv8I
         nxvQ==
X-Gm-Message-State: AOAM531Jr8jdWkkjPw74aULmme93uT8lFqUZIx/FjaUCT5Hs775OW1nT
        43iMXXUsboq2smr5zTLi2V5PbUaqLSzf4JJG/4hTUw==
X-Received: by 2002:aca:c657:: with SMTP id w84mr12368311oif.47.1606139586278;
 Mon, 23 Nov 2020 05:53:06 -0800 (PST)
MIME-Version: 1.0
References: <1606115436-15332-1-git-send-email-a869920004@163.com>
In-Reply-To: <1606115436-15332-1-git-send-email-a869920004@163.com>
From:   Jens Wiklander <jens.wiklander@linaro.org>
Date:   Mon, 23 Nov 2020 14:52:55 +0100
Message-ID: <CAHUa44HB6WKoubGEWFANh8SmsOU0Z=p+42AV5-At8TC1B08npA@mail.gmail.com>
Subject: Re: [PATCH] Properly check tee_shm buffer mmap offset
To:     gaoyusong <a869920004@163.com>
Cc:     Sumit Semwal <sumit.semwal@linaro.org>,
        Christian Koenig <christian.koenig@amd.com>,
        op-tee@lists.trustedfirmware.org,
        Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
        linux-media@vger.kernel.org,
        DRI Development <dri-devel@lists.freedesktop.org>,
        linaro-mm-sig@lists.linaro.org
Content-Type: text/plain; charset="UTF-8"
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Hi,

On Mon, Nov 23, 2020 at 8:10 AM gaoyusong <a869920004@163.com> wrote:
>
> The memmap options in tee_shm_op_mmap were not being checked for all
> sets of possible crazy values. Fix this up by properly check tee_shm
> buffer offsets.
>
> Signed-off-by: gaoyusong <a869920004@163.com>
> ---
>  drivers/tee/tee_shm.c | 10 ++++++++++
>  1 file changed, 10 insertions(+)
>
> diff --git a/drivers/tee/tee_shm.c b/drivers/tee/tee_shm.c
> index 827ac3d..3f762c8 100644
> --- a/drivers/tee/tee_shm.c
> +++ b/drivers/tee/tee_shm.c
> @@ -75,6 +75,16 @@ static int tee_shm_op_mmap(struct dma_buf *dmabuf, struct vm_area_struct *vma)
>  {
>         struct tee_shm *shm = dmabuf->priv;
>         size_t size = vma->vm_end - vma->vm_start;
> +       unsigned long offset;
> +
> +       /* Check dmabuffer mmap offset */
> +       if (vma->vm_pgoff > (~0UL >> PAGE_SHIFT))
> +               return -EINVAL;
> +
> +       offset = vma->vm_pgoff << PAGE_SHIFT;
> +
> +       if (offset > shm->size || size > shm->size - offset)
> +               return -EINVAL;

If we would have used vm_pgoff below to offset into the shm buffer
these checks would be needed.
Currently we're ignoring this field though. That might be a bit
inconsistent with the mmap() API, but on the other hand this buffer
has just been carved out of the shared memory pool for the purpose of
mapping it in user space. To carve out more than we're going to map
would be wasteful so I guess that in the end it makes sense to ignore
vm_pgoff.

Thanks,
Jens

>
>         /* Refuse sharing shared memory provided by application */
>         if (shm->flags & TEE_SHM_USER_MAPPED)
> --
> 1.8.3.1
>