lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date:   Fri, 27 Apr 2018 08:58:29 -0700
From:   Randy Dunlap <rdunlap@...radead.org>
To:     Etienne Carriere <etienne.carriere@...aro.org>,
        linux-kernel@...r.kernel.org,
        Jens Wiklander <jens.wiklander@...aro.org>,
        Alexandre Jutras <alexandre.jutras@....com>
Subject: Re: [PATCH] tee: check shm references are consistent in offset/size

On 04/27/2018 06:53 AM, Etienne Carriere wrote:
> This change prevents userland from referencing TEE shared memory
> outside the area initially allocated by its owner. Prior this change an
> application could not reference or access memory it did not own but
> it could reference memory not explicitly allocated by owner.
> 
> Reported-by: Alexandre Jutras <alexandre.jutras@....com>
> Signed-off-by: Etienne Carriere <etienne.carriere@...aro.org>
> 
> ---
>  drivers/tee/tee_core.c | 11 +++++++++++
>  1 file changed, 11 insertions(+)
> 
> diff --git a/drivers/tee/tee_core.c b/drivers/tee/tee_core.c
> index 0124a91..dd46b75 100644
> --- a/drivers/tee/tee_core.c
> +++ b/drivers/tee/tee_core.c
> @@ -238,6 +238,17 @@ static int params_from_user(struct tee_context
> *ctx, struct tee_param *params,

Those 2 lines above should be only one line.

>              if (IS_ERR(shm))
>                  return PTR_ERR(shm);
> 
> +            /*
> +             * Ensure offset + size does not overflow offset
> +             * and does not overflow the size of the referred
> +             * shared memory object.
> +             */
> +            if ((ip.a + ip.b) < ip.a ||
> +                (ip.a + ip.b) > shm->size) {
> +                tee_shm_put(shm);
> +                return -EINVAL;
> +            }
> +

Hi,
The patch makes sense but the whitespace and indentation are all mucked up.
Could be your email client.
Please check/fix and test by emailing it to yourself.

>              params[n].u.memref.shm_offs = ip.a;
>              params[n].u.memref.size = ip.b;
>              params[n].u.memref.shm = shm;
> 

thanks,
-- 
~Randy

Powered by blists - more mailing lists