AuxXxilium/linux_dsm_epyc7002
1
0
Fork 0
mirror of https://github.com/AuxXxilium/linux_dsm_epyc7002.git synced 2024-12-05 07:36:56 +07:00
Code Issues Actions Packages Projects Releases Wiki Activity

Small fixes for tee subsystem

Browse Source 
* Fixes for use-after-free via temporarily dropped reference
 * Checks that passed shm references are consistent in offset/size
   with regards to the shm object
 -----BEGIN PGP SIGNATURE-----
 
 iQJOBAABCgA4FiEEcK3MsDvGvFp6zV9ztbC4QZeP7NMFAlrwQM0aHGplbnMud2lr
 bGFuZGVyQGxpbmFyby5vcmcACgkQtbC4QZeP7NMzVBAAvQa9VUku8wN4iPUEr3mL
 +f3Ur84IW449WLiShLye+EYHJSNaIFiGLlAymIgT1s1XKX0u1eIW88rjnrapljVF
 WHGPYCUnysU1Mit4j1/7RD3WqjT5Yn5K/7BOmM0FNGZEy0eRMD2/+172ddAnr9zX
 O0q/XO4AvAv69P+6cQbIrFrsvuJdxxAsI0nWuMxWxRvHlz72uIlglT510dgA5QJH
 OVvlFreFQDaX8uasUmEOK8tstYoWk5YmyiUiEk5j/wW9g65ZJpujS4DHJUmvV7L5
 bd3MoyynYl1sOJXyvF1mfo8Moyhdq/sD67u7HMznqdQm6E/aDjStM1/XCXveKKZq
 c2WVSyDHwqmKhGQNgvVaWTpljbDnw3SSJ5i+cqf73pZkVDAq9+AanE0yt0WLig7m
 AntnaLRjMl49e6Q4hA3KP1pITmmDlS0vsXHtglVM0N0Z64ekxHEhapEzPJwMrJ0u
 mgJA5r5r/oYkI3RQ2Wkp1gY5Yn2scfcySt60TS76AgTtqz2LF3xCIGItNU8QvWtp
 +nCRw3UV20myNhqcSNPtof2dXTiqDtbBxDrGf3Wxlys5SIeLWjY7YMTcyWragp4D
 4uidorGFtmWew0WA4g5W8pQ6SS+0RHLCM3KB1Lz07IM0d7YCxVPzr7BnUiJ/+x4b
 2BhKDk1ANaQZtPw/1kpIjik=
 =7lYR
 -----END PGP SIGNATURE-----

Merge tag 'tee-drv-fixes-for-4.17' of git://git.linaro.org/people/jens.wiklander/linux-tee into fixes

Small fixes for tee subsystem

* Fixes for use-after-free via temporarily dropped reference
* Checks that passed shm references are consistent in offset/size
  with regards to the shm object

* tag 'tee-drv-fixes-for-4.17' of git://git.linaro.org/people/jens.wiklander/linux-tee:
  tee: check shm references are consistent in offset/size
  tee: shm: fix use-after-free via temporarily dropped reference

Signed-off-by: Olof Johansson <olof@lixom.net>
This commit is contained in:
Olof Johansson 2018-05-14 01:02:11 -07:00
commit c1c6fe6c66
2 changed files with 14 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
drivers/tee/tee_core.c
View File

@ -238,6 +238,17 @@ static int params_from_user(struct tee_context *ctx, struct tee_param *params,
if (IS_ERR(shm))
return PTR_ERR(shm);
/*
* Ensure offset + size does not overflow offset
* and does not overflow the size of the referred
* shared memory object.
*/
if ((ip.a + ip.b) < ip.a ||
(ip.a + ip.b) > shm->size) {
tee_shm_put(shm);
return -EINVAL;
}
params[n].u.memref.shm_offs = ip.a;
params[n].u.memref.size = ip.b;
params[n].u.memref.shm = shm;

5
drivers/tee/tee_shm.c
View File

@ -360,9 +360,10 @@ int tee_shm_get_fd(struct tee_shm *shm)
if (!(shm->flags & TEE_SHM_DMA_BUF))
return -EINVAL;
get_dma_buf(shm->dmabuf);
fd = dma_buf_fd(shm->dmabuf, O_CLOEXEC);
if (fd >= 0)
get_dma_buf(shm->dmabuf);
if (fd < 0)
dma_buf_put(shm->dmabuf);
return fd;
}