lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <202512130645.3njk1yxJ-lkp@intel.com>
Date: Sat, 13 Dec 2025 14:05:35 +0300
From: Dan Carpenter <dan.carpenter@...aro.org>
To: oe-kbuild@...ts.linux.dev,
	Amirreza Zarrabi <amirreza.zarrabi@....qualcomm.com>
Cc: lkp@...el.com, oe-kbuild-all@...ts.linux.dev,
	linux-kernel@...r.kernel.org,
	Jens Wiklander <jens.wiklander@...aro.org>,
	Sumit Garg <sumit.garg@....qualcomm.com>
Subject: drivers/tee/tee_core.c:735 tee_ioctl_object_invoke() warn: potential
 user controlled sizeof overflow '20 + (size_mul(32, (arg.num_params)))' '20
 + 0-u32max'

tree:   https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
head:   187d0801404f415f22c0b31531982c7ea97fa341
commit: d5b8b0fa1775d8b59c3fc9e4aa2baa715d08f3ee tee: add TEE_IOCTL_PARAM_ATTR_TYPE_OBJREF
config: csky-randconfig-r071-20251212 (https://download.01.org/0day-ci/archive/20251213/202512130645.3njk1yxJ-lkp@intel.com/config)
compiler: csky-linux-gcc (GCC) 15.1.0

If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <lkp@...el.com>
| Reported-by: Dan Carpenter <dan.carpenter@...aro.org>
| Closes: https://lore.kernel.org/r/202512130645.3njk1yxJ-lkp@intel.com/

New smatch warnings:
drivers/tee/tee_core.c:735 tee_ioctl_object_invoke() warn: potential user controlled sizeof overflow '20 + (size_mul(32, (arg.num_params)))' '20 + 0-u32max'

Old smatch warnings:
arch/csky/include/asm/uaccess.h:191 __get_user_fn() error: uninitialized symbol 'retval'.

vim +735 drivers/tee/tee_core.c

d5b8b0fa1775d8 Amirreza Zarrabi 2025-09-11  710  static int tee_ioctl_object_invoke(struct tee_context *ctx,
d5b8b0fa1775d8 Amirreza Zarrabi 2025-09-11  711  				   struct tee_ioctl_buf_data __user *ubuf)
d5b8b0fa1775d8 Amirreza Zarrabi 2025-09-11  712  {
d5b8b0fa1775d8 Amirreza Zarrabi 2025-09-11  713  	int rc;
d5b8b0fa1775d8 Amirreza Zarrabi 2025-09-11  714  	size_t n;
d5b8b0fa1775d8 Amirreza Zarrabi 2025-09-11  715  	struct tee_ioctl_buf_data buf;
d5b8b0fa1775d8 Amirreza Zarrabi 2025-09-11  716  	struct tee_ioctl_object_invoke_arg __user *uarg;
d5b8b0fa1775d8 Amirreza Zarrabi 2025-09-11  717  	struct tee_ioctl_object_invoke_arg arg;
d5b8b0fa1775d8 Amirreza Zarrabi 2025-09-11  718  	struct tee_ioctl_param __user *uparams = NULL;
d5b8b0fa1775d8 Amirreza Zarrabi 2025-09-11  719  	struct tee_param *params = NULL;
d5b8b0fa1775d8 Amirreza Zarrabi 2025-09-11  720  
d5b8b0fa1775d8 Amirreza Zarrabi 2025-09-11  721  	if (!ctx->teedev->desc->ops->object_invoke_func)
d5b8b0fa1775d8 Amirreza Zarrabi 2025-09-11  722  		return -EINVAL;
d5b8b0fa1775d8 Amirreza Zarrabi 2025-09-11  723  
d5b8b0fa1775d8 Amirreza Zarrabi 2025-09-11  724  	if (copy_from_user(&buf, ubuf, sizeof(buf)))
d5b8b0fa1775d8 Amirreza Zarrabi 2025-09-11  725  		return -EFAULT;
d5b8b0fa1775d8 Amirreza Zarrabi 2025-09-11  726  
d5b8b0fa1775d8 Amirreza Zarrabi 2025-09-11  727  	if (buf.buf_len > TEE_MAX_ARG_SIZE ||
d5b8b0fa1775d8 Amirreza Zarrabi 2025-09-11  728  	    buf.buf_len < sizeof(struct tee_ioctl_object_invoke_arg))
d5b8b0fa1775d8 Amirreza Zarrabi 2025-09-11  729  		return -EINVAL;
d5b8b0fa1775d8 Amirreza Zarrabi 2025-09-11  730  
d5b8b0fa1775d8 Amirreza Zarrabi 2025-09-11  731  	uarg = u64_to_user_ptr(buf.buf_ptr);
d5b8b0fa1775d8 Amirreza Zarrabi 2025-09-11  732  	if (copy_from_user(&arg, uarg, sizeof(arg)))
d5b8b0fa1775d8 Amirreza Zarrabi 2025-09-11  733  		return -EFAULT;
d5b8b0fa1775d8 Amirreza Zarrabi 2025-09-11  734  
d5b8b0fa1775d8 Amirreza Zarrabi 2025-09-11 @735  	if (sizeof(arg) + TEE_IOCTL_PARAM_SIZE(arg.num_params) != buf.buf_len)

This isn't a runtime bug, because if arg.num_params is too high the
kcalloc() will fail.  But eventually we're going to create a KMSan thing
to make it a runtime warning when there is an integer overflow in a
size_t math.

Integer overflows are complicated because the integer overflow is
harmless.  It's just math.  If there is a bad effect, it always
happens later.  But we want to start considering it a bug in a limited
way just for sizes because that makes preventing bugs easier.

You could use:

	if (size_add(sizeof(arg), TEE_IOCTL_PARAM_SIZE(arg.num_params)) != buf.buf_len)
		return -EINVAL;

d5b8b0fa1775d8 Amirreza Zarrabi 2025-09-11  736  		return -EINVAL;
d5b8b0fa1775d8 Amirreza Zarrabi 2025-09-11  737  
d5b8b0fa1775d8 Amirreza Zarrabi 2025-09-11  738  	if (arg.num_params) {
d5b8b0fa1775d8 Amirreza Zarrabi 2025-09-11  739  		params = kcalloc(arg.num_params, sizeof(struct tee_param),
d5b8b0fa1775d8 Amirreza Zarrabi 2025-09-11  740  				 GFP_KERNEL);
d5b8b0fa1775d8 Amirreza Zarrabi 2025-09-11  741  		if (!params)
d5b8b0fa1775d8 Amirreza Zarrabi 2025-09-11  742  			return -ENOMEM;
d5b8b0fa1775d8 Amirreza Zarrabi 2025-09-11  743  		uparams = uarg->params;
d5b8b0fa1775d8 Amirreza Zarrabi 2025-09-11  744  		rc = params_from_user(ctx, params, arg.num_params, uparams);
d5b8b0fa1775d8 Amirreza Zarrabi 2025-09-11  745  		if (rc)
d5b8b0fa1775d8 Amirreza Zarrabi 2025-09-11  746  			goto out;
d5b8b0fa1775d8 Amirreza Zarrabi 2025-09-11  747  	}
d5b8b0fa1775d8 Amirreza Zarrabi 2025-09-11  748  
d5b8b0fa1775d8 Amirreza Zarrabi 2025-09-11  749  	rc = ctx->teedev->desc->ops->object_invoke_func(ctx, &arg, params);
d5b8b0fa1775d8 Amirreza Zarrabi 2025-09-11  750  	if (rc)
d5b8b0fa1775d8 Amirreza Zarrabi 2025-09-11  751  		goto out;
d5b8b0fa1775d8 Amirreza Zarrabi 2025-09-11  752  
d5b8b0fa1775d8 Amirreza Zarrabi 2025-09-11  753  	if (put_user(arg.ret, &uarg->ret)) {
d5b8b0fa1775d8 Amirreza Zarrabi 2025-09-11  754  		rc = -EFAULT;
d5b8b0fa1775d8 Amirreza Zarrabi 2025-09-11  755  		goto out;
d5b8b0fa1775d8 Amirreza Zarrabi 2025-09-11  756  	}
d5b8b0fa1775d8 Amirreza Zarrabi 2025-09-11  757  	rc = params_to_user(uparams, arg.num_params, params);
d5b8b0fa1775d8 Amirreza Zarrabi 2025-09-11  758  out:
d5b8b0fa1775d8 Amirreza Zarrabi 2025-09-11  759  	if (params) {
d5b8b0fa1775d8 Amirreza Zarrabi 2025-09-11  760  		/* Decrease ref count for all valid shared memory pointers */
d5b8b0fa1775d8 Amirreza Zarrabi 2025-09-11  761  		for (n = 0; n < arg.num_params; n++)
d5b8b0fa1775d8 Amirreza Zarrabi 2025-09-11  762  			if (tee_param_is_memref(params + n) &&
d5b8b0fa1775d8 Amirreza Zarrabi 2025-09-11  763  			    params[n].u.memref.shm)
d5b8b0fa1775d8 Amirreza Zarrabi 2025-09-11  764  				tee_shm_put(params[n].u.memref.shm);
d5b8b0fa1775d8 Amirreza Zarrabi 2025-09-11  765  		kfree(params);
d5b8b0fa1775d8 Amirreza Zarrabi 2025-09-11  766  	}
d5b8b0fa1775d8 Amirreza Zarrabi 2025-09-11  767  	return rc;
d5b8b0fa1775d8 Amirreza Zarrabi 2025-09-11  768  }

-- 
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ