From patchwork Sun Apr 29 12:22:29 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Etienne Carriere X-Patchwork-Id: 134666 Delivered-To: patch@linaro.org Received: by 10.46.151.6 with SMTP id r6csp2717822lji; Sun, 29 Apr 2018 05:23:23 -0700 (PDT) X-Google-Smtp-Source: AB8JxZq/OvofgNkwHbnIh1QuqxgxFaWsXGOtwHm51stb5v/4eripdzEF2KdDsto6EaRgINW5GJ13 X-Received: by 10.167.131.92 with SMTP id z28mr8727055pfm.237.1525004603421; Sun, 29 Apr 2018 05:23:23 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1525004603; cv=none; d=google.com; s=arc-20160816; b=FfrKgMGMiN4jypweQY/mGtiamIPXvCneyVrmuzPDkU6L09mYNXfpiwdD/YkkJSARig og913Ze+6gy8qeFl/R5Hek3zWEIBQU4flL8Dfilc2YGWxalkkKs+qm/v46gPfZdwXKjs 85p2mvz2uqc3VygoiPLNP+k7CCNdFWvYl+O72hZhPJSSkp84RYLjOiOgan+zws4NG1aV YdLnzZt5ce2/Wx6MYuUo2oKMyceeUKXNnTApT9+hz6dts2YxtGNbJregTJGHXYwjB5Zz 17ei+6bLOnWzft7GyH5amHAGc5puB4IIwCfCaLYu0i6p1HzU2S8Deocqpc9I8iFGwLar TcOA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:date:subject:cc:to:from :dkim-signature:arc-authentication-results; bh=IYdHZ/dD63rjHXa2U3Swyjdd6WCMbxc8BrjjguS0ATM=; b=cguLt/TiBs2FWpO8neuA5QTIu5BUhU4vx9Wj3mOuwpMF77UwomABurzUNoodzLOPHL C3wt5Z19tkNgaxB+n1nssvYlLONZi8OA0MxtiIf/3fjsDGscXbsK5jwmCbuDrehjRR9h HlejvUioQp6rULt/JE1oWQ8NIC7Pd71KDzlO4Vmyj/WnQVjsFLQqha7ACf1eki51MGjt hoPlcepPBHZ4MlR+pI/m8DZimnkSAkIzgvpQEAy8uuGT2s+et9ffUw/WX2vvkYUoBXBe 5JspqXzu4JDnVAPtQjXwHoDzUhl3BxQ7f1cl7jIAjM/MP4I+tdn/bWEMfQSBrmEVZrdN VVrA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=d3sbmz4y; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id e26si5528277pfb.185.2018.04.29.05.23.23; Sun, 29 Apr 2018 05:23:23 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=d3sbmz4y; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753346AbeD2MXR (ORCPT + 29 others); Sun, 29 Apr 2018 08:23:17 -0400 Received: from mail-wm0-f68.google.com ([74.125.82.68]:39999 "EHLO mail-wm0-f68.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753054AbeD2MXQ (ORCPT ); Sun, 29 Apr 2018 08:23:16 -0400 Received: by mail-wm0-f68.google.com with SMTP id j5so10046450wme.5 for ; Sun, 29 Apr 2018 05:23:15 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id; bh=IYdHZ/dD63rjHXa2U3Swyjdd6WCMbxc8BrjjguS0ATM=; b=d3sbmz4yLvp3krXU0r/EwTGepV2MdFuEqQ9yWXEKgwzS3XVYOJ627CUhfoFdgQuf5d POIKHGlTTCbzPExqnCKeDmDT8XrM8vNc1S5C2e7GtbNHHl6154uZ+RI7xfKkRoP6ypbC e3n0z3yJ8U37Brja+zP2s8V+I4lE49785SeYE= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=IYdHZ/dD63rjHXa2U3Swyjdd6WCMbxc8BrjjguS0ATM=; b=t0V9cbMVjXA7v6Q+jYx4k1nO5DFOZZU/wMEV6ETrKhgHsSMNRUTG+jQoZK1j4iJ3+J hhut4Jj4P3oi04/Xy6jggzimd1gsy6kzRw9eZ7IgoOJrWqpQIGBWyi2oMBTnIZ51oTKV pF7dMPGAG9LQO8uWIkvH1jOzi8dd4wcD5yeg+HNCDhCd2g1wSkHgEdKnfOAUDDlei7HM 0VufsqHCvGv2jjCPwX8NzNFRFtJKTofQUeS5QSqcIdHnX887aSP/oKj8CddlRFymErSw izYM4c1BQr2jPNf8V4RHV0OLwsYo0ApnhfG0haMWNINW31FjJIbT9oYVjyGQWe6tWIwa YKvA== X-Gm-Message-State: ALQs6tBAlf/fgcegSd7UQQVCRPKb7tg+CSnKmUOYTKKbG8TGiacpHanx oWvMGtVDf3MHXZPWfxErH1c4Ug== X-Received: by 10.28.138.69 with SMTP id m66mr5880803wmd.117.1525004595036; Sun, 29 Apr 2018 05:23:15 -0700 (PDT) Received: from lmenx29q.lme.st.com. (ANantes-657-1-85-133.w81-50.abo.wanadoo.fr. [81.50.120.133]) by smtp.gmail.com with ESMTPSA id v111-v6sm5314047wrb.30.2018.04.29.05.23.13 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Sun, 29 Apr 2018 05:23:14 -0700 (PDT) From: Etienne Carriere To: alexandre.jutras@nxp.com, linux-kernel@vger.kernel.org, jens.wiklander@linaro.org Cc: Etienne Carriere Subject: [PATCH] tee: check shm references are consistent in offset/size Date: Sun, 29 Apr 2018 14:22:29 +0200 Message-Id: <1525004549-16266-1-git-send-email-etienne.carriere@linaro.org> X-Mailer: git-send-email 1.9.1 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org This change prevents userland from referencing TEE shared memory outside the area initially allocated by its owner. Prior this change an application could not reference or access memory it did not own but it could reference memory not explicitly allocated by owner but still allocated to the owner due to the memory allocation granule. Reported-by: Alexandre Jutras Signed-off-by: Etienne Carriere --- drivers/tee/tee_core.c | 11 +++++++++++ 1 file changed, 11 insertions(+) -- 1.9.1 diff --git a/drivers/tee/tee_core.c b/drivers/tee/tee_core.c index 0124a91..dd46b75 100644 --- a/drivers/tee/tee_core.c +++ b/drivers/tee/tee_core.c @@ -238,6 +238,17 @@ static int params_from_user(struct tee_context *ctx, struct tee_param *params, if (IS_ERR(shm)) return PTR_ERR(shm); + /* + * Ensure offset + size does not overflow offset + * and does not overflow the size of the referred + * shared memory object. + */ + if ((ip.a + ip.b) < ip.a || + (ip.a + ip.b) > shm->size) { + tee_shm_put(shm); + return -EINVAL; + } + params[n].u.memref.shm_offs = ip.a; params[n].u.memref.size = ip.b; params[n].u.memref.shm = shm;