Skip to content
Permalink
Browse files

core: umap_add_region(): add overflow check

Use ADD_OVERFLOW() to be more resilient to very large values
potentially passed to umap_add_region().

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reported-by: Bastien Simondi <bsimondi@netflix.com> [1.3]
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Joakim Bech <joakim.bech@linaro.org>
  • Loading branch information...
jforissier committed Jan 29, 2019
1 parent de5a134 commit bcc81cf8f0ec93c62ff5bc1b1c3d09e50cc2525f
Showing with 9 additions and 7 deletions.
  1. +9 −7 core/arch/arm/mm/tee_mmu.c
@@ -161,11 +161,12 @@ static void free_pgt(struct user_ta_ctx *utc, vaddr_t base, size_t size)

static TEE_Result umap_add_region(struct vm_info *vmi, struct vm_region *reg)
{
struct vm_region *r;
struct vm_region *prev_r;
vaddr_t va_range_base;
size_t va_range_size;
vaddr_t va;
struct vm_region *r = NULL;
struct vm_region *prev_r = NULL;
vaddr_t va_range_base = 0;
size_t va_range_size = 0;
vaddr_t va = 0;
size_t offs_plus_size = 0;

core_mmu_get_user_va_range(&va_range_base, &va_range_size);

@@ -174,8 +175,9 @@ static TEE_Result umap_add_region(struct vm_info *vmi, struct vm_region *reg)
return TEE_ERROR_ACCESS_CONFLICT;

/* Check that the mobj is defined for the entire range */
if ((reg->offset + reg->size) >
ROUNDUP(reg->mobj->size, SMALL_PAGE_SIZE))
if (ADD_OVERFLOW(reg->offset, reg->size, &offs_plus_size))
return TEE_ERROR_BAD_PARAMETERS;
if (offs_plus_size > ROUNDUP(reg->mobj->size, SMALL_PAGE_SIZE))
return TEE_ERROR_BAD_PARAMETERS;

prev_r = NULL;

0 comments on commit bcc81cf

Please sign in to comment.
You can’t perform that action at this time.