Skip to content
Permalink
Browse files

svc: check for allocation overflow in crypto calls

Without checking for overflow there is a risk of allocating a buffer
with size smaller than anticipated and as a consequence of that it might
lead to a heap based overflow with attacker controlled data written
outside the boundaries of the buffer.

Fixes: OP-TEE-2018-0010: "Integer overflow in crypto system calls (x2)"

Signed-off-by: Joakim Bech <joakim.bech@linaro.org>
Tested-by: Joakim Bech <joakim.bech@linaro.org> (QEMU v7, v8)
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reported-by: Riscure <inforequest@riscure.com>
Reported-by: Alyssa Milburn <a.a.milburn@vu.nl>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
  • Loading branch information...
jbech-linaro authored and jforissier committed Sep 27, 2018
1 parent b60e1ce commit a637243270fc1faae16de059091795c32d86e65e
Showing with 12 additions and 2 deletions.
  1. +12 −2 core/tee/tee_svc_cryp.c
@@ -1759,7 +1759,12 @@ TEE_Result syscall_obj_generate_key(unsigned long obj, unsigned long key_size,
if (key_size > type_props->max_size)
return TEE_ERROR_NOT_SUPPORTED;

params = malloc(sizeof(TEE_Attribute) * param_count);
size_t alloc_size = 0;

if (MUL_OVERFLOW(sizeof(TEE_Attribute), param_count, &alloc_size))
return TEE_ERROR_OVERFLOW;

params = malloc(alloc_size);
if (!params)
return TEE_ERROR_OUT_OF_MEMORY;
res = copy_in_attrs(to_user_ta_ctx(sess->ctx), usr_params, param_count,
@@ -2668,7 +2673,12 @@ TEE_Result syscall_cryp_derive_key(unsigned long state,
if (res != TEE_SUCCESS)
return res;

params = malloc(sizeof(TEE_Attribute) * param_count);
size_t alloc_size = 0;

if (MUL_OVERFLOW(sizeof(TEE_Attribute), param_count, &alloc_size))
return TEE_ERROR_OVERFLOW;

params = malloc(alloc_size);
if (!params)
return TEE_ERROR_OUT_OF_MEMORY;
res = copy_in_attrs(utc, usr_params, param_count, params);

0 comments on commit a637243

Please sign in to comment.
You can’t perform that action at this time.