| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20220823080129.221336436@linuxfoundation.org>
Date: Tue, 23 Aug 2022 10:26:46 +0200
From: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To: linux-kernel@...r.kernel.org
Cc: Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
stable@...r.kernel.org, Nimish Mishra <neelam.nimish@...il.com>,
Anirban Chakraborty <ch.anirban00727@...il.com>,
Debdeep Mukhopadhyay <debdeep.mukhopadhyay@...il.com>,
Jerome Forissier <jerome.forissier@...aro.org>,
Jens Wiklander <jens.wiklander@...aro.org>,
Linus Torvalds <torvalds@...ux-foundation.org>
Subject: [PATCH 5.4 328/389] tee: add overflow check in register_shm_helper()
From: Jens Wiklander <jens.wiklander@...aro.org>
commit 573ae4f13f630d6660008f1974c0a8a29c30e18a upstream.
With special lengths supplied by user space, register_shm_helper() has
an integer overflow when calculating the number of pages covered by a
supplied user space memory region.
This causes internal_get_user_pages_fast() a helper function of
pin_user_pages_fast() to do a NULL pointer dereference:
Unable to handle kernel NULL pointer dereference at virtual address 0000000000000010
Modules linked in:
CPU: 1 PID: 173 Comm: optee_example_a Not tainted 5.19.0 #11
Hardware name: QEMU QEMU Virtual Machine, BIOS 0.0.0 02/06/2015
pc : internal_get_user_pages_fast+0x474/0xa80
Call trace:
internal_get_user_pages_fast+0x474/0xa80
pin_user_pages_fast+0x24/0x4c
register_shm_helper+0x194/0x330
tee_shm_register_user_buf+0x78/0x120
tee_ioctl+0xd0/0x11a0
__arm64_sys_ioctl+0xa8/0xec
invoke_syscall+0x48/0x114
Fix this by adding an an explicit call to access_ok() in
tee_shm_register_user_buf() to catch an invalid user space address
early.
Fixes: 033ddf12bcf5 ("tee: add register user memory")
Cc: stable@...r.kernel.org
Reported-by: Nimish Mishra <neelam.nimish@...il.com>
Reported-by: Anirban Chakraborty <ch.anirban00727@...il.com>
Reported-by: Debdeep Mukhopadhyay <debdeep.mukhopadhyay@...il.com>
Suggested-by: Jerome Forissier <jerome.forissier@...aro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@...aro.org>
Signed-off-by: Linus Torvalds <torvalds@...ux-foundation.org>
[JW: backport to stable-5.4 + update commit message]
Signed-off-by: Jens Wiklander <jens.wiklander@...aro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
---
drivers/tee/tee_core.c | 3 +++
1 file changed, 3 insertions(+)
--- a/drivers/tee/tee_core.c
+++ b/drivers/tee/tee_core.c
@@ -182,6 +182,9 @@ tee_ioctl_shm_register(struct tee_contex
if (data.flags)
return -EINVAL;
+ if (!access_ok((void __user *)(unsigned long)data.addr, data.length))
+ return -EFAULT;
+
shm = tee_shm_register(ctx, data.addr, data.length,
TEE_SHM_DMA_BUF | TEE_SHM_USER_MAPPED);
if (IS_ERR(shm))
Powered by blists - more mailing lists