From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Jerome Forissier <jerome@forissier.org>,
Sumit Garg <sumit.garg@linaro.org>,
Jens Wiklander <jens.wiklander@linaro.org>,
Sasha Levin <sashal@kernel.org>,
op-tee@lists.trustedfirmware.org
Subject: [PATCH AUTOSEL 4.19 10/21] tee: optee: do not check memref size on return from Secure World
Date: Sun, 2 May 2021 10:05:06 -0400 [thread overview]
Message-ID: <20210502140517.2719912-10-sashal@kernel.org> (raw)
In-Reply-To: <20210502140517.2719912-1-sashal@kernel.org>
From: Jerome Forissier <jerome@forissier.org>
[ Upstream commit c650b8dc7a7910eb25af0aac1720f778b29e679d ]
When Secure World returns, it may have changed the size attribute of the
memory references passed as [in/out] parameters. The GlobalPlatform TEE
Internal Core API specification does not restrict the values that this
size can take. In particular, Secure World may increase the value to be
larger than the size of the input buffer to indicate that it needs more.
Therefore, the size check in optee_from_msg_param() is incorrect and
needs to be removed. This fixes a number of failed test cases in the
GlobalPlatform TEE Initial Configuratiom Test Suite v2_0_0_0-2017_06_09
when OP-TEE is compiled without dynamic shared memory support
(CFG_CORE_DYN_SHM=n).
Reviewed-by: Sumit Garg <sumit.garg@linaro.org>
Suggested-by: Jens Wiklander <jens.wiklander@linaro.org>
Signed-off-by: Jerome Forissier <jerome@forissier.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/tee/optee/core.c | 10 ----------
1 file changed, 10 deletions(-)
diff --git a/drivers/tee/optee/core.c b/drivers/tee/optee/core.c
index 2f254f957b0a..1d71fcb13dba 100644
--- a/drivers/tee/optee/core.c
+++ b/drivers/tee/optee/core.c
@@ -87,16 +87,6 @@ int optee_from_msg_param(struct tee_param *params, size_t num_params,
return rc;
p->u.memref.shm_offs = mp->u.tmem.buf_ptr - pa;
p->u.memref.shm = shm;
-
- /* Check that the memref is covered by the shm object */
- if (p->u.memref.size) {
- size_t o = p->u.memref.shm_offs +
- p->u.memref.size - 1;
-
- rc = tee_shm_get_pa(shm, o, NULL);
- if (rc)
- return rc;
- }
break;
case OPTEE_MSG_ATTR_TYPE_RMEM_INPUT:
case OPTEE_MSG_ATTR_TYPE_RMEM_OUTPUT:
--
2.30.2
next prev parent reply other threads:[~2021-05-02 14:08 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-05-02 14:04 [PATCH AUTOSEL 4.19 01/21] staging: wimax/i2400m: fix byte-order issue Sasha Levin
2021-05-02 14:04 ` [PATCH AUTOSEL 4.19 02/21] crypto: api - check for ERR pointers in crypto_destroy_tfm() Sasha Levin
2021-05-02 14:04 ` [PATCH AUTOSEL 4.19 03/21] usb: gadget: uvc: add bInterval checking for HS mode Sasha Levin
2021-05-02 14:05 ` [PATCH AUTOSEL 4.19 04/21] genirq/matrix: Prevent allocation counter corruption Sasha Levin
2021-05-02 14:05 ` [PATCH AUTOSEL 4.19 05/21] usb: gadget: f_uac1: validate input parameters Sasha Levin
2021-05-02 14:05 ` [PATCH AUTOSEL 4.19 06/21] usb: dwc3: gadget: Ignore EP queue requests during bus reset Sasha Levin
2021-05-10 12:03 ` Pavel Machek
2021-05-02 14:05 ` [PATCH AUTOSEL 4.19 07/21] usb: xhci: Fix port minor revision Sasha Levin
2021-05-02 14:05 ` [PATCH AUTOSEL 4.19 08/21] PCI: PM: Do not read power state in pci_enable_device_flags() Sasha Levin
2021-05-02 14:05 ` [PATCH AUTOSEL 4.19 09/21] x86/build: Propagate $(CLANG_FLAGS) to $(REALMODE_FLAGS) Sasha Levin
2021-05-02 14:05 ` Sasha Levin [this message]
2021-05-02 14:05 ` [PATCH AUTOSEL 4.19 11/21] perf/arm_pmu_platform: Fix error handling Sasha Levin
2021-05-02 14:05 ` [PATCH AUTOSEL 4.19 12/21] usb: xhci-mtk: support quirk to disable usb2 lpm Sasha Levin
2021-05-02 14:05 ` [PATCH AUTOSEL 4.19 13/21] xhci: check control context is valid before dereferencing it Sasha Levin
2021-05-02 14:05 ` [PATCH AUTOSEL 4.19 14/21] xhci: fix potential array out of bounds with several interrupters Sasha Levin
2021-05-02 14:05 ` [PATCH AUTOSEL 4.19 15/21] spi: dln2: Fix reference leak to master Sasha Levin
2021-05-02 14:05 ` [PATCH AUTOSEL 4.19 16/21] spi: omap-100k: " Sasha Levin
2021-05-02 14:05 ` [PATCH AUTOSEL 4.19 17/21] platform/x86: thinkpad_acpi: Correct thermal sensor allocation Sasha Levin
2021-05-02 14:05 ` [PATCH AUTOSEL 4.19 18/21] intel_th: Consistency and off-by-one fix Sasha Levin
2021-05-02 14:05 ` [PATCH AUTOSEL 4.19 19/21] phy: phy-twl4030-usb: Fix possible use-after-free in twl4030_usb_remove() Sasha Levin
2021-05-02 14:05 ` [PATCH AUTOSEL 4.19 20/21] crypto: omap-aes - Fix PM reference leak on omap-aes.c Sasha Levin
2021-05-02 14:05 ` [PATCH AUTOSEL 4.19 21/21] btrfs: convert logic BUG_ON()'s in replace_path to ASSERT()'s Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210502140517.2719912-10-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=jens.wiklander@linaro.org \
--cc=jerome@forissier.org \
--cc=linux-kernel@vger.kernel.org \
--cc=op-tee@lists.trustedfirmware.org \
--cc=stable@vger.kernel.org \
--cc=sumit.garg@linaro.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).