Skip to content

Commit

Permalink
core: syscall_authenc_init(): check nonce accessibility
Browse files Browse the repository at this point in the history 
syscall_authenc_init() does not check that the given nonce address is
within TA accessible memory. Fix that.

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reported-by: Bastien Simondi <bsimondi@netflix.com> [2.10]
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Joakim Bech <joakim.bech@linaro.org>
  • Loading branch information
@jforissier
jforissier committed Feb 25, 2019
1 parent bd81e5b commit 06aa9a9
Showing 1 changed file with 7 additions and 0 deletions.
7 changes: 7 additions & 0 deletions core/tee/tee_svc_cryp.c
View file
Expand Up @@ -2957,6 +2957,13 @@ TEE_Result syscall_authenc_init(unsigned long state, const void *nonce,
if (res != TEE_SUCCESS) if (res != TEE_SUCCESS)
return res; return res;


res = tee_mmu_check_access_rights(to_user_ta_ctx(sess->ctx),
TEE_MEMORY_ACCESS_READ |
TEE_MEMORY_ACCESS_ANY_OWNER,
(uaddr_t)nonce, nonce_len);
if (res != TEE_SUCCESS)
return res;

res = tee_svc_cryp_get_state(sess, tee_svc_uref_to_vaddr(state), &cs); res = tee_svc_cryp_get_state(sess, tee_svc_uref_to_vaddr(state), &cs);
if (res != TEE_SUCCESS) if (res != TEE_SUCCESS)
return res; return res;
Expand Down

0 comments on commit 06aa9a9

Please sign in to comment.