core: clear the entire TA area

Previously we cleared (memset to zero) the size corresponding to code and data segments, however the allocation for the TA is made on the granularity of the memory pool, meaning that we did not clear all memory and because of that we could potentially leak code and data of a previous loaded TA. Fixes: OP-TEE-2018-0006: "Potential disclosure of previously loaded TA code and data" Signed-off-by: Joakim Bech <[email protected]> Tested-by: Joakim Bech <[email protected]> (QEMU v7, v8) Suggested-by: Jens Wiklander <[email protected]> Reviewed-by: Jens Wiklander <[email protected]> Reported-by: Riscure <[email protected]> Reported-by: Alyssa Milburn <[email protected]> Acked-by: Etienne Carriere <[email protected]>
OP-TEE · Jan 21, 2019 · 7e768f8 · 7e768f8
1 parent 5ee85d7
commit 7e768f8
Showing 1 changed file with 6 additions and 2 deletions.
diff --git a/core/arch/arm/kernel/user_ta.c b/core/arch/arm/kernel/user_ta.c
@@ -197,8 +197,12 @@ static struct mobj *alloc_ta_mem(size_t size)
 #else
 	struct mobj *mobj = mobj_mm_alloc(mobj_sec_ddr, size, &tee_mm_sec_ddr);
 
-	if (mobj)
-		memset(mobj_get_va(mobj, 0), 0, size);
+	if (mobj) {
+		size_t granularity = BIT(tee_mm_sec_ddr.shift);
+
+		/* Round up to allocation granularity size */
+		memset(mobj_get_va(mobj, 0), 0, ROUNDUP(size, granularity));
+	}
 	return mobj;
 #endif
 }