Skip to content
Permalink
Browse files

core: crypto: add overflow check when copying attributes

In copy_in_attrs(), attr_count * sizeof(struct utee_attribute) could
overflow if a very large attr_count is given. Use MUL_OVERFLOW() to
properly deal with this case.

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reported-by: Bastien Simondi <bsimondi@netflix.com> [2.9]
Reviewed-by: Joakim Bech <joakim.bech@linaro.org>
  • Loading branch information...
jforissier committed Feb 5, 2019
1 parent 3bcb882 commit bd81e5b95ec910e9e3fa9f1824f3981288af5d50
Showing with 5 additions and 2 deletions.
  1. +5 −2 core/tee/tee_svc_cryp.c
@@ -1332,11 +1332,14 @@ static TEE_Result copy_in_attrs(struct user_ta_ctx *utc,
{
TEE_Result res;
uint32_t n;
size_t size = 0;

if (MUL_OVERFLOW(sizeof(struct utee_attribute), attr_count, &size))
return TEE_ERROR_OVERFLOW;

res = tee_mmu_check_access_rights(utc,
TEE_MEMORY_ACCESS_READ | TEE_MEMORY_ACCESS_ANY_OWNER,
(uaddr_t)usr_attrs,
attr_count * sizeof(struct utee_attribute));
(uaddr_t)usr_attrs, size);
if (res != TEE_SUCCESS)
return res;

0 comments on commit bd81e5b

Please sign in to comment.
You can’t perform that action at this time.