Skip to content
Permalink
Browse files

core: syscall_authenc_init(): check nonce accessibility

syscall_authenc_init() does not check that the given nonce address is
within TA accessible memory. Fix that.

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reported-by: Bastien Simondi <bsimondi@netflix.com> [2.10]
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Joakim Bech <joakim.bech@linaro.org>
  • Loading branch information...
jforissier committed Feb 5, 2019
1 parent bd81e5b commit 06aa9a9b4117a045197c39ba9754422ce0593c0f
Showing with 7 additions and 0 deletions.
  1. +7 −0 core/tee/tee_svc_cryp.c
@@ -2957,6 +2957,13 @@ TEE_Result syscall_authenc_init(unsigned long state, const void *nonce,
if (res != TEE_SUCCESS)
return res;

res = tee_mmu_check_access_rights(to_user_ta_ctx(sess->ctx),
TEE_MEMORY_ACCESS_READ |
TEE_MEMORY_ACCESS_ANY_OWNER,
(uaddr_t)nonce, nonce_len);
if (res != TEE_SUCCESS)
return res;

res = tee_svc_cryp_get_state(sess, tee_svc_uref_to_vaddr(state), &cs);
if (res != TEE_SUCCESS)
return res;

0 comments on commit 06aa9a9

Please sign in to comment.
You can’t perform that action at this time.