Skip to content
Permalink
Browse files

core: verify size of allocated shared memory

Makes sure that normal world cannot change the size of allocated shared
memory, resulting in a smaller buffer being allocated.

Suggested-by: Bastien Simondi <bsimondi@netflix.com> [1.1]
Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Joakim Bech <joakim.bech@linaro.org>
  • Loading branch information...
jforissier committed Mar 12, 2019
1 parent 9348854 commit cc6bc5f94210ea24b774c997fd482c936735db71
Showing with 9 additions and 4 deletions.
  1. +9 −4 core/arch/arm/kernel/thread.c
@@ -1625,25 +1625,30 @@ static void thread_rpc_free(unsigned int bt, uint64_t cookie, struct mobj *mobj)
}

static struct mobj *get_rpc_alloc_res(struct optee_msg_arg *arg,
unsigned int bt)
unsigned int bt, size_t size)
{
struct mobj *mobj = NULL;
uint64_t cookie = 0;
size_t psize = 0;

if (arg->ret || arg->num_params != 1)
return NULL;

psize = arg->params[0].u.tmem.size;
if (psize < size)
return NULL;

if (arg->params[0].attr == OPTEE_MSG_ATTR_TYPE_TMEM_OUTPUT) {
cookie = arg->params[0].u.tmem.shm_ref;
mobj = mobj_shm_alloc(arg->params[0].u.tmem.buf_ptr,
arg->params[0].u.tmem.size,
psize,
cookie);
} else if (arg->params[0].attr == (OPTEE_MSG_ATTR_TYPE_TMEM_OUTPUT |
OPTEE_MSG_ATTR_NONCONTIG)) {
cookie = arg->params[0].u.tmem.shm_ref;
mobj = msg_param_mobj_from_noncontig(
arg->params[0].u.tmem.buf_ptr,
arg->params[0].u.tmem.size,
psize,
cookie,
true);
} else {
@@ -1684,7 +1689,7 @@ static struct mobj *thread_rpc_alloc(size_t size, size_t align, unsigned int bt)
reg_pair_from_64(carg, rpc_args + 1, rpc_args + 2);
thread_rpc(rpc_args);

return get_rpc_alloc_res(arg, bt);
return get_rpc_alloc_res(arg, bt, size);
}

struct mobj *thread_rpc_alloc_payload(size_t size)

0 comments on commit cc6bc5f

Please sign in to comment.
You can’t perform that action at this time.