Skip to content

Commit a637243

Browse files
jbech-linarojforissier
authored andcommitted
svc: check for allocation overflow in crypto calls
Without checking for overflow there is a risk of allocating a buffer with size smaller than anticipated and as a consequence of that it might lead to a heap based overflow with attacker controlled data written outside the boundaries of the buffer. Fixes: OP-TEE-2018-0010: "Integer overflow in crypto system calls (x2)" Signed-off-by: Joakim Bech <joakim.bech@linaro.org> Tested-by: Joakim Bech <joakim.bech@linaro.org> (QEMU v7, v8) Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org> Reported-by: Riscure <inforequest@riscure.com> Reported-by: Alyssa Milburn <a.a.milburn@vu.nl> Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
1 parent b60e1ce commit a637243

File tree

1 file changed

+12
-2
lines changed

1 file changed

+12
-2
lines changed

Diff for: core/tee/tee_svc_cryp.c

+12-2
Original file line numberDiff line numberDiff line change
@@ -1759,7 +1759,12 @@ TEE_Result syscall_obj_generate_key(unsigned long obj, unsigned long key_size,
17591759
if (key_size > type_props->max_size)
17601760
return TEE_ERROR_NOT_SUPPORTED;
17611761

1762-
params = malloc(sizeof(TEE_Attribute) * param_count);
1762+
size_t alloc_size = 0;
1763+
1764+
if (MUL_OVERFLOW(sizeof(TEE_Attribute), param_count, &alloc_size))
1765+
return TEE_ERROR_OVERFLOW;
1766+
1767+
params = malloc(alloc_size);
17631768
if (!params)
17641769
return TEE_ERROR_OUT_OF_MEMORY;
17651770
res = copy_in_attrs(to_user_ta_ctx(sess->ctx), usr_params, param_count,
@@ -2668,7 +2673,12 @@ TEE_Result syscall_cryp_derive_key(unsigned long state,
26682673
if (res != TEE_SUCCESS)
26692674
return res;
26702675

2671-
params = malloc(sizeof(TEE_Attribute) * param_count);
2676+
size_t alloc_size = 0;
2677+
2678+
if (MUL_OVERFLOW(sizeof(TEE_Attribute), param_count, &alloc_size))
2679+
return TEE_ERROR_OVERFLOW;
2680+
2681+
params = malloc(alloc_size);
26722682
if (!params)
26732683
return TEE_ERROR_OUT_OF_MEMORY;
26742684
res = copy_in_attrs(utc, usr_params, param_count, params);

0 commit comments

Comments
 (0)