From patchwork Fri Apr 27 13:53:02 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Etienne Carriere X-Patchwork-Id: 134623 Delivered-To: patch@linaro.org Received: by 10.46.151.6 with SMTP id r6csp750723lji; Fri, 27 Apr 2018 06:53:09 -0700 (PDT) X-Google-Smtp-Source: AB8JxZr+/rlTXAmYztp2A5xRLG1E2q6XoHNenrGMEU2TXVR4hHfb9d81Wr6UFZMGKPczykWPzZX7 X-Received: by 2002:a17:902:5801:: with SMTP id m1-v6mr2434255pli.325.1524837189105; Fri, 27 Apr 2018 06:53:09 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1524837189; cv=none; d=google.com; s=arc-20160816; b=qXpDNHKjjUj2XE5Rlmc1BweZkatLaoR+7X6bnLVwRTAfke0T3R6tZNifFS5xtUlJj6 PyfahSB6vjR88guowxxmEJRtTqVhy9keOa2JJJpDrCfJRL4BmnDHYxhGwDRTqLu19v2t KlRVHWAJ39tFSKwiltlrqRBsXT4SvqIGx4cqsECqOT2vZMhLcksiUH2p1ilfSL8sfdrq Iq7hrZg2F9TIt5WykVgtthvkkuMXilHiv1t987j7isMRVQjBQqpqn9EZxzvDPiu6RSaC T3T3egSWEIouyqFA5OuPv4w3z2Yqc6/nFi2wsulCz03D30/SXCo8PcP+t8H83XZ4gUvR C/vQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:to:subject:message-id:date:from :mime-version:dkim-signature:arc-authentication-results; bh=jXGu8eVQns4Iy9TNaGiX7HpvJDE3dw4nPiY2JvjHjBA=; b=o4WghKx40OYllfQV+BiINIoJbLtbwN9pAHCanaKx6OcAStBNHHATPwfAlwHrLeVafm kLpUP+/Vwu4Xk3uEMHMX17SgnlgtSaWjJssTuqfK/bC4WehYCx3zgkk5/uLhL1rxfgCM jjwK7IP0KfXPnkgidPlSdaoOPwmgapBbLTUhcI5HFtRMHbQwhI8ryr+XCf5S343l5OkV aPmOEoK9cJQBTbMTE6xO7Iscjuxerkq06ZVRPM785Ij6LjRuyuL7M7bCcGrD8UaKbu1T f/bN7mfyyw1d+TT43bKQXL6ikZQk6SyU2EZjzG+HejjAevNpPzpRPJ48qx+Jd8wi0l9o VINg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=FWmPqab5; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id h12-v6si484715pgq.138.2018.04.27.06.53.08; Fri, 27 Apr 2018 06:53:09 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=FWmPqab5; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1758489AbeD0NxF (ORCPT + 29 others); Fri, 27 Apr 2018 09:53:05 -0400 Received: from mail-lf0-f67.google.com ([209.85.215.67]:44923 "EHLO mail-lf0-f67.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1758364AbeD0NxE (ORCPT ); Fri, 27 Apr 2018 09:53:04 -0400 Received: by mail-lf0-f67.google.com with SMTP id h197-v6so2808928lfg.11 for ; Fri, 27 Apr 2018 06:53:03 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=mime-version:from:date:message-id:subject:to; bh=jXGu8eVQns4Iy9TNaGiX7HpvJDE3dw4nPiY2JvjHjBA=; b=FWmPqab5nBnXKIzje8xnLbQybTQP7laAZeWxD/VKMQUDoZFKUS+0KhMS/gFN/X+z7N AQrqRrKMYxoXjXPU1e7Dv5fktP4ZQAksuekBs8TnyXSMjLTpRf1rm2T/65bZpeV1+T0S OAuUzQLkrNco47SEupTaxS254vRylAl7JDi4k= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=jXGu8eVQns4Iy9TNaGiX7HpvJDE3dw4nPiY2JvjHjBA=; b=af7bTtZHTcZD0EFfeetU6cLLvY1xxxxozaQPm9XYEmtNMcIN+5p7KeqFGNzajpbb5j +1FgDrHmkDjqUirKYwJnZ9FA701G8aDvcixAAinhm93zWl2pgQcxdaZHlWM4nHmnzlg3 YIXjZgekxUHMPx7oUQ81FefZ4Om8x0Y3/0q1IQrQtV4lxo18fK4sQxY7ldJ+siYiVaWc O7nEYcs7CpUS3yDiUm+jkUrBSmaAS+M/DSQKLmcNIwscXwEX/2YIjrrPO0kadTW2x803 ZWWHABWH2DBpU4nzyQ5Qt5mlzlEf3j0a+UUPIaxy8xmZKRxeOQktgoJLyQzi1RcVxIi0 IuLg== X-Gm-Message-State: ALQs6tCnn8x6qqi2othf9XoQFoz+omFFtWKYXsHo6pHzAwdPgHFu7Ot+ jcQZP4KIHGeCShBzf7+Gb1S1QGXEiDnjdWsBBTpmiSVckNM= X-Received: by 2002:a2e:92cc:: with SMTP id k12-v6mr1837981ljh.101.1524837182542; Fri, 27 Apr 2018 06:53:02 -0700 (PDT) MIME-Version: 1.0 Received: by 10.46.91.197 with HTTP; Fri, 27 Apr 2018 06:53:02 -0700 (PDT) From: Etienne Carriere Date: Fri, 27 Apr 2018 15:53:02 +0200 Message-ID: Subject: [PATCH] tee: check shm references are consistent in offset/size To: linux-kernel@vger.kernel.org, Jens Wiklander , Alexandre Jutras Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org This change prevents userland from referencing TEE shared memory outside the area initially allocated by its owner. Prior this change an application could not reference or access memory it did not own but it could reference memory not explicitly allocated by owner. Reported-by: Alexandre Jutras Signed-off-by: Etienne Carriere --- drivers/tee/tee_core.c | 11 +++++++++++ 1 file changed, 11 insertions(+) params[n].u.memref.shm = shm; -- 1.9.1 diff --git a/drivers/tee/tee_core.c b/drivers/tee/tee_core.c index 0124a91..dd46b75 100644 --- a/drivers/tee/tee_core.c +++ b/drivers/tee/tee_core.c @@ -238,6 +238,17 @@ static int params_from_user(struct tee_context *ctx, struct tee_param *params, if (IS_ERR(shm)) return PTR_ERR(shm); + /* + * Ensure offset + size does not overflow offset + * and does not overflow the size of the referred + * shared memory object. + */ + if ((ip.a + ip.b) < ip.a || + (ip.a + ip.b) > shm->size) { + tee_shm_put(shm); + return -EINVAL; + } + params[n].u.memref.shm_offs = ip.a; params[n].u.memref.size = ip.b;