Hi! > From: Jens Wiklander > > commit 573ae4f13f630d6660008f1974c0a8a29c30e18a upstream. > > With special lengths supplied by user space, register_shm_helper() has > an integer overflow when calculating the number of pages covered by a > supplied user space memory region. > > This causes internal_get_user_pages_fast() a helper function of > pin_user_pages_fast() to do a NULL pointer dereference: Maybe this needs fixing, but this fix adds a memory leak or two. Note the goto err, that needs to be done. Best regards, Pavel Signed-off-by: Pavel Machek > +++ b/drivers/tee/tee_shm.c > @@ -222,6 +222,9 @@ struct tee_shm *tee_shm_register(struct > goto err; > } > > + if (!access_ok((void __user *)addr, length)) > + return ERR_PTR(-EFAULT); > + > mutex_lock(&teedev->mutex); > shm->id = idr_alloc(&teedev->idr, shm, 1, 0, GFP_KERNEL); > mutex_unlock(&teedev->mutex); > diff --git a/drivers/tee/tee_shm.c b/drivers/tee/tee_shm.c index 6e662fb131d5..283fa50676a2 100644 --- a/drivers/tee/tee_shm.c +++ b/drivers/tee/tee_shm.c @@ -222,8 +222,10 @@ struct tee_shm *tee_shm_register(struct tee_context *ctx, unsigned long addr, goto err; } - if (!access_ok((void __user *)addr, length)) - return ERR_PTR(-EFAULT); + if (!access_ok((void __user *)addr, length)) { + ret = ERR_PTR(-EFAULT); + goto err; + } mutex_lock(&teedev->mutex); shm->id = idr_alloc(&teedev->idr, shm, 1, 0, GFP_KERNEL); -- DENX Software Engineering GmbH, Managing Director: Wolfgang Denk HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany