Merge tag 'tee-drv-fixes-for-4.17' of... (c1c6fe6c) · Commits · 戴 / test

Merge tag 'tee-drv-fixes-for-4.17' of git://git.linaro.org/people/jens.wiklander/linux-tee into fixes Small fixes for tee subsystem * Fixes for use-after-free via temporarily dropped reference * Checks that passed shm references are consistent in offset/size with regards to the shm object * tag 'tee-drv-fixes-for-4.17' of git://git.linaro.org/people/jens.wiklander/linux-tee : tee: check shm references are consistent in offset/size tee: shm: fix use-after-free via temporarily dropped reference Signed-off-by:

Olof Johansson <olof@lixom.net>

drivers/tee/tee_core.c

+11 −0

Original line number	Diff line number	Diff line
		@@ -238,6 +238,17 @@ static int params_from_user(struct tee_context ctx, struct tee_param params,
		if (IS_ERR(shm))
		return PTR_ERR(shm);

		/*
		* Ensure offset + size does not overflow offset
		* and does not overflow the size of the referred
		* shared memory object.
		*/
		if ((ip.a + ip.b) < ip.a \|\|
		(ip.a + ip.b) > shm->size) {
		tee_shm_put(shm);
		return -EINVAL;
		}

		params[n].u.memref.shm_offs = ip.a;
		params[n].u.memref.size = ip.b;
		params[n].u.memref.shm = shm;

drivers/tee/tee_shm.c

+3 −2

Original line number	Diff line number	Diff line
		@@ -360,9 +360,10 @@ int tee_shm_get_fd(struct tee_shm *shm)
		if (!(shm->flags & TEE_SHM_DMA_BUF))
		return -EINVAL;

		fd = dma_buf_fd(shm->dmabuf, O_CLOEXEC);
		if (fd >= 0)
		get_dma_buf(shm->dmabuf);
		fd = dma_buf_fd(shm->dmabuf, O_CLOEXEC);
		if (fd < 0)
		dma_buf_put(shm->dmabuf);
		return fd;
		}

Admin message