lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Fri, 27 Apr 2018 08:58:29 -0700 From: Randy Dunlap <rdunlap@...radead.org> To: Etienne Carriere <etienne.carriere@...aro.org>, linux-kernel@...r.kernel.org, Jens Wiklander <jens.wiklander@...aro.org>, Alexandre Jutras <alexandre.jutras@....com> Subject: Re: [PATCH] tee: check shm references are consistent in offset/size On 04/27/2018 06:53 AM, Etienne Carriere wrote: > This change prevents userland from referencing TEE shared memory > outside the area initially allocated by its owner. Prior this change an > application could not reference or access memory it did not own but > it could reference memory not explicitly allocated by owner. > > Reported-by: Alexandre Jutras <alexandre.jutras@....com> > Signed-off-by: Etienne Carriere <etienne.carriere@...aro.org> > > --- > drivers/tee/tee_core.c | 11 +++++++++++ > 1 file changed, 11 insertions(+) > > diff --git a/drivers/tee/tee_core.c b/drivers/tee/tee_core.c > index 0124a91..dd46b75 100644 > --- a/drivers/tee/tee_core.c > +++ b/drivers/tee/tee_core.c > @@ -238,6 +238,17 @@ static int params_from_user(struct tee_context > *ctx, struct tee_param *params, Those 2 lines above should be only one line. > if (IS_ERR(shm)) > return PTR_ERR(shm); > > + /* > + * Ensure offset + size does not overflow offset > + * and does not overflow the size of the referred > + * shared memory object. > + */ > + if ((ip.a + ip.b) < ip.a || > + (ip.a + ip.b) > shm->size) { > + tee_shm_put(shm); > + return -EINVAL; > + } > + Hi, The patch makes sense but the whitespace and indentation are all mucked up. Could be your email client. Please check/fix and test by emailing it to yourself. > params[n].u.memref.shm_offs = ip.a; > params[n].u.memref.size = ip.b; > params[n].u.memref.shm = shm; > thanks, -- ~Randy
Powered by blists - more mailing lists