From bcc81cf8f0ec93c62ff5bc1b1c3d09e50cc2525f Mon Sep 17 00:00:00 2001
From: Jerome Forissier <jerome.forissier@linaro.org>
Date: Tue, 29 Jan 2019 15:54:31 +0100
Subject: [PATCH] core: umap_add_region(): add overflow check

Use ADD_OVERFLOW() to be more resilient to very large values
potentially passed to umap_add_region().

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reported-by: Bastien Simondi <bsimondi@netflix.com> [1.3]
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Joakim Bech <joakim.bech@linaro.org>
---
 core/arch/arm/mm/tee_mmu.c | 16 +++++++++-------
 1 file changed, 9 insertions(+), 7 deletions(-)

diff --git a/core/arch/arm/mm/tee_mmu.c b/core/arch/arm/mm/tee_mmu.c
index 05e2fc8935a..18fe9163ad6 100644
--- a/core/arch/arm/mm/tee_mmu.c
+++ b/core/arch/arm/mm/tee_mmu.c
@@ -161,11 +161,12 @@ static void free_pgt(struct user_ta_ctx *utc, vaddr_t base, size_t size)
 
 static TEE_Result umap_add_region(struct vm_info *vmi, struct vm_region *reg)
 {
-	struct vm_region *r;
-	struct vm_region *prev_r;
-	vaddr_t va_range_base;
-	size_t va_range_size;
-	vaddr_t va;
+	struct vm_region *r = NULL;
+	struct vm_region *prev_r = NULL;
+	vaddr_t va_range_base = 0;
+	size_t va_range_size = 0;
+	vaddr_t va = 0;
+	size_t offs_plus_size = 0;
 
 	core_mmu_get_user_va_range(&va_range_base, &va_range_size);
 
@@ -174,8 +175,9 @@ static TEE_Result umap_add_region(struct vm_info *vmi, struct vm_region *reg)
 		return TEE_ERROR_ACCESS_CONFLICT;
 
 	/* Check that the mobj is defined for the entire range */
-	if ((reg->offset + reg->size) >
-	     ROUNDUP(reg->mobj->size, SMALL_PAGE_SIZE))
+	if (ADD_OVERFLOW(reg->offset, reg->size, &offs_plus_size))
+		return TEE_ERROR_BAD_PARAMETERS;
+	if (offs_plus_size > ROUNDUP(reg->mobj->size, SMALL_PAGE_SIZE))
 		return TEE_ERROR_BAD_PARAMETERS;
 
 	prev_r = NULL;