Skip to content

Commit e3adcf5

Browse files
jenswi-linarojforissier
authored andcommitted
core: ensure that supplied range matches MOBJ
In set_rmem_param() if the MOBJ is found by the cookie it's verified to represent non-secure shared memory. Prior to this patch the supplied sub-range to be used of the MOBJ was not checked here and relied on later checks further down the chain. Those checks seems to be enough for user TAs, but not for pseudo TAs where the size isn't checked. This patch adds a check for offset and size to see that they remain inside the memory covered by the MOBJ. Fixes: OP-TEE-2018-0004: "Unchecked parameters are passed through from REE". Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org> Tested-by: Joakim Bech <joakim.bech@linaro.org> (QEMU v7, v8) Reviewed-by: Joakim Bech <joakim.bech@linaro.org> Reported-by: Riscure <inforequest@riscure.com> Reported-by: Alyssa Milburn <a.a.milburn@vu.nl> Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
1 parent 99e8a8c commit e3adcf5

File tree

1 file changed

+9
-0
lines changed

1 file changed

+9
-0
lines changed

Diff for: core/arch/arm/tee/entry_std.c

+9
Original file line numberDiff line numberDiff line change
@@ -101,6 +101,7 @@ static TEE_Result set_tmem_param(const struct optee_msg_param_tmem *tmem,
101101
static TEE_Result set_rmem_param(const struct optee_msg_param_rmem *rmem,
102102
struct param_mem *mem)
103103
{
104+
size_t req_size = 0;
104105
uint64_t shm_ref = READ_ONCE(rmem->shm_ref);
105106

106107
mem->mobj = mobj_reg_shm_get_by_cookie(shm_ref);
@@ -110,6 +111,14 @@ static TEE_Result set_rmem_param(const struct optee_msg_param_rmem *rmem,
110111
mem->offs = READ_ONCE(rmem->offs);
111112
mem->size = READ_ONCE(rmem->size);
112113

114+
/*
115+
* Check that the supplied offset and size is covered by the
116+
* previously verified MOBJ.
117+
*/
118+
if (ADD_OVERFLOW(mem->offs, mem->size, &req_size) ||
119+
mem->mobj->size < req_size)
120+
return TEE_ERROR_SECURITY;
121+
113122
return TEE_SUCCESS;
114123
}
115124

0 commit comments

Comments
 (0)