Skip to content
Permalink
Browse files

core: check for overflow in msg_param_mobj_from_noncontig()

msg_param_mobj_from_noncontig() does not check that buf_ptr + size does
not overflow. As a result, num_pages could be computed small, while
size could be big. Only num_pages will be mapped/registered in the
returned mobj. If the caller does not compare mobj->size with required
size, it can end up manipulating memory out of the intended region.

Fix the issue by using overflow checking macros.

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reported-by: Bastien Simondi <bsimondi@netflix.com> [1.2]
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Joakim Bech <joakim.bech@linaro.org>
  • Loading branch information...
jforissier committed Jan 29, 2019
1 parent 34050c2 commit e1509d6e6178011df581c535ee8bf8c147053df2
Showing with 14 additions and 7 deletions.
  1. +14 −7 core/kernel/msg_param.c
@@ -26,11 +26,12 @@
* POSSIBILITY OF SUCH DAMAGE.
*/

#include <kernel/msg_param.h>
#include <mm/mobj.h>
#include <optee_msg.h>
#include <stdio.h>
#include <types_ext.h>
#include <kernel/msg_param.h>
#include <mm/mobj.h>
#include <util.h>

/**
* msg_param_extract_pages() - extract list of pages from
@@ -115,14 +116,20 @@ struct mobj *msg_param_mobj_from_noncontig(paddr_t buf_ptr, size_t size,
uint64_t shm_ref, bool map_buffer)
{
struct mobj *mobj = NULL;
paddr_t *pages;
paddr_t page_offset;
size_t num_pages;
paddr_t *pages = NULL;
paddr_t page_offset = 0;
size_t num_pages = 0;
size_t size_plus_offs = 0;
size_t msize = 0;

page_offset = buf_ptr & SMALL_PAGE_MASK;
num_pages = (size + page_offset - 1) / SMALL_PAGE_SIZE + 1;
if (ADD_OVERFLOW(size, page_offset, &size_plus_offs))
return NULL;
num_pages = (size_plus_offs - 1) / SMALL_PAGE_SIZE + 1;
if (MUL_OVERFLOW(num_pages, sizeof(paddr_t), &msize))
return NULL;

pages = malloc(num_pages * sizeof(paddr_t));
pages = malloc(msize);
if (!pages)
return NULL;

0 comments on commit e1509d6

Please sign in to comment.
You can’t perform that action at this time.