Skip to content

Commit

Permalink
core: umap_add_region(): add overflow check
Browse files Browse the repository at this point in the history 
Use ADD_OVERFLOW() to be more resilient to very large values
potentially passed to umap_add_region().

Signed-off-by: Jerome Forissier <[email protected]>
Reported-by: Bastien Simondi <[email protected]> [1.3]
Reviewed-by: Jens Wiklander <[email protected]>
Reviewed-by: Joakim Bech <[email protected]>
  • Loading branch information
@jforissier
jforissier committed Feb 25, 2019
1 parent de5a134 commit bcc81cf
Showing 1 changed file with 9 additions and 7 deletions.
16 changes: 9 additions & 7 deletions core/arch/arm/mm/tee_mmu.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -161,11 +161,12 @@ static void free_pgt(struct user_ta_ctx *utc, vaddr_t base, size_t size)

static TEE_Result umap_add_region(struct vm_info *vmi, struct vm_region *reg)
{
struct vm_region *r;
struct vm_region *prev_r;
vaddr_t va_range_base;
size_t va_range_size;
vaddr_t va;
struct vm_region *r = NULL;
struct vm_region *prev_r = NULL;
vaddr_t va_range_base = 0;
size_t va_range_size = 0;
vaddr_t va = 0;
size_t offs_plus_size = 0;

core_mmu_get_user_va_range(&va_range_base, &va_range_size);

Expand All @@ -174,8 +175,9 @@ static TEE_Result umap_add_region(struct vm_info *vmi, struct vm_region *reg)
return TEE_ERROR_ACCESS_CONFLICT;

/* Check that the mobj is defined for the entire range */
if ((reg->offset + reg->size) >
ROUNDUP(reg->mobj->size, SMALL_PAGE_SIZE))
if (ADD_OVERFLOW(reg->offset, reg->size, &offs_plus_size))
return TEE_ERROR_BAD_PARAMETERS;
if (offs_plus_size > ROUNDUP(reg->mobj->size, SMALL_PAGE_SIZE))
return TEE_ERROR_BAD_PARAMETERS;

prev_r = NULL;
Expand Down

0 comments on commit bcc81cf

Please sign in to comment.