Please sign in to comment.
core: do not use virtual addresses as session identifier
Session context virtual address is returned to the REE in entry_open_session(); it is then used back in entry_close_session() and entry_invoke_command(). Sharing virtual addresses with the REE leads to virtual memory addresses disclosure that could be leveraged to defeat ASLR (if/when implemented) and/or mount an attack. Similarly, syscall_open_ta_session() returns a session ID directly derived from the session virtual address to the caller TA. This commit introduces a 32-bit identifier field in struct tee_ta_session. The ID is generated when the session is created, starting from the id of the last session in the queue, and counting up until a number that is not used in the session queue is found. Signed-off-by: Jerome Forissier <firstname.lastname@example.org> Reported-by: Bastien Simondi <email@example.com> [2.1] Reviewed-by: Jens Wiklander <firstname.lastname@example.org> Reviewed-by: Joakim Bech <email@example.com>
- Loading branch information...
Showing with 66 additions and 14 deletions.