svc: check for allocation overflow in syscall_cryp_obj_populate

Without checking for overflow there is a risk of allocating a buffer with size smaller than anticipated and as a consequence of that it might lead to a heap based overflow with attacker controlled data written outside the boundaries of the buffer. Fixes: OP-TEE-2018-0009: "Integer overflow in crypto system calls" Signed-off-by: Joakim Bech <joakim.bech@linaro.org> Tested-by: Joakim Bech <joakim.bech@linaro.org> (QEMU v7, v8) Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org> Reported-by: Riscure <inforequest@riscure.com> Reported-by: Alyssa Milburn <a.a.milburn@vu.nl> Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
OP-TEE · Jan 21, 2019 · b60e1ce · b60e1ce
1 parent 8f58cdb
commit b60e1ce
Showing 1 changed file with 8 additions and 1 deletion.
diff --git a/core/tee/tee_svc_cryp.c b/core/tee/tee_svc_cryp.c
@@ -4,6 +4,7 @@
  */
 
 #include <assert.h>
+#include <compiler.h>
 #include <crypto/crypto.h>
 #include <kernel/tee_ta_manager.h>
 #include <mm/tee_mmu.h>
@@ -1547,9 +1548,15 @@ TEE_Result syscall_cryp_obj_populate(unsigned long obj,
 	if (!type_props)
 		return TEE_ERROR_NOT_IMPLEMENTED;
 
-	attrs = malloc(sizeof(TEE_Attribute) * attr_count);
+	size_t alloc_size = 0;
+
+	if (MUL_OVERFLOW(sizeof(TEE_Attribute), attr_count, &alloc_size))
+		return TEE_ERROR_OVERFLOW;
+
+	attrs = malloc(alloc_size);
 	if (!attrs)
 		return TEE_ERROR_OUT_OF_MEMORY;
+
 	res = copy_in_attrs(to_user_ta_ctx(sess->ctx), usr_attrs, attr_count,
 			    attrs);
 	if (res != TEE_SUCCESS)