Please sign in to comment.
core: ensure that supplied range matches MOBJ
In set_rmem_param() if the MOBJ is found by the cookie it's verified to represent non-secure shared memory. Prior to this patch the supplied sub-range to be used of the MOBJ was not checked here and relied on later checks further down the chain. Those checks seems to be enough for user TAs, but not for pseudo TAs where the size isn't checked. This patch adds a check for offset and size to see that they remain inside the memory covered by the MOBJ. Fixes: OP-TEE-2018-0004: "Unchecked parameters are passed through from REE". Signed-off-by: Jens Wiklander <email@example.com> Tested-by: Joakim Bech <firstname.lastname@example.org> (QEMU v7, v8) Reviewed-by: Joakim Bech <email@example.com> Reported-by: Riscure <firstname.lastname@example.org> Reported-by: Alyssa Milburn <email@example.com> Acked-by: Etienne Carriere <firstname.lastname@example.org>
- Loading branch information...