Skip to content
Browse files
core: tee_mmu_check_access_rights() check all pages
Prior to this patch tee_mmu_check_access_rights() checks an address in
each page of a supplied range. If both the start and length of that
range is unaligned the last page in the range is sometimes not checked.
With this patch the first address of each page in the range is checked
to simplify the logic of checking each page and the range and also to
cover the last page under all circumstances.

Fixes: OP-TEE-2018-0005: "tee_mmu_check_access_rights does not check
final page of TA buffer"

Signed-off-by: Jens Wiklander <>
Tested-by: Joakim Bech <> (QEMU v7, v8)
Reviewed-by: Joakim Bech <>
Reported-by: Riscure <>
Reported-by: Alyssa Milburn <>
Acked-by: Etienne Carriere <>
  • Loading branch information
jenswi-linaro authored and jforissier committed Jan 21, 2019
1 parent 359324a commit 95f36d661f2b75887772ea28baaad904bde96970
Showing with 3 additions and 2 deletions.
  1. +3 −2 core/arch/arm/mm/tee_mmu.c
@@ -757,10 +757,11 @@ TEE_Result tee_mmu_check_access_rights(const struct user_ta_ctx *utc,
size_t len)
uaddr_t a;
uaddr_t end_addr = 0;
size_t addr_incr = MIN(CORE_MMU_USER_CODE_SIZE,

if (ADD_OVERFLOW(uaddr, len, &a))
if (ADD_OVERFLOW(uaddr, len, &end_addr))

@@ -775,7 +776,7 @@ TEE_Result tee_mmu_check_access_rights(const struct user_ta_ctx *utc,
!tee_mmu_is_vbuf_inside_ta_private(utc, (void *)uaddr, len))

for (a = uaddr; a < (uaddr + len); a += addr_incr) {
for (a = ROUNDDOWN(uaddr, addr_incr); a < end_addr; a += addr_incr) {
uint32_t attr;
TEE_Result res;

0 comments on commit 95f36d6

Please sign in to comment.