Please sign in to comment.
core: scrub user-tainted memory returned by alloc_temp_sec_mem()
This is a security fix for TA-to-TA calls. In syscall_open_ta_session() and syscall_invoke_ta_command(), caller TA can reference some private memory, in which case the kernel makes a temporary copy. Unfortunately, memory allocated through alloc_temp_sec_mem() is not cleared when returned. One could leverage this to copy arbitrary data into this secure memory pool or to snoop former data from a previous call done by another TA (e.g., using TEE_PARAM_TYPE_MEMREF_OUTPUT allows to map the data while not overwriting it, hence accessing to what is already there). This patch introduces mobj_free_wipe() to clear and free an mobj. Signed-off-by: Jerome Forissier <firstname.lastname@example.org> Reported-by: Bastien Simondi <email@example.com> [1.5] Reviewed-by: Jens Wiklander <firstname.lastname@example.org> Reviewed-by: Joakim Bech <email@example.com>
- Loading branch information...
Showing with 12 additions and 2 deletions.