diff options
author | Jerome Forissier <jerome.forissier@linaro.org> | 2019-02-05 17:41:23 +0100 |
---|---|---|
committer | Jérôme Forissier <jerome.forissier@linaro.org> | 2019-02-25 14:23:58 +0100 |
commit | 06aa9a9b4117a045197c39ba9754422ce0593c0f (patch) | |
tree | 26f87823a5fa02d52e1d9b3f2c8eb7d5704d24a3 /core/tee | |
parent | bd81e5b95ec910e9e3fa9f1824f3981288af5d50 (diff) |
core: syscall_authenc_init(): check nonce accessibility
syscall_authenc_init() does not check that the given nonce address is
within TA accessible memory. Fix that.
Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reported-by: Bastien Simondi <bsimondi@netflix.com> [2.10]
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Joakim Bech <joakim.bech@linaro.org>
Diffstat (limited to 'core/tee')
-rw-r--r-- | core/tee/tee_svc_cryp.c | 7 |
1 files changed, 7 insertions, 0 deletions
diff --git a/core/tee/tee_svc_cryp.c b/core/tee/tee_svc_cryp.c index b6012460..46879ab8 100644 --- a/core/tee/tee_svc_cryp.c +++ b/core/tee/tee_svc_cryp.c @@ -2957,6 +2957,13 @@ TEE_Result syscall_authenc_init(unsigned long state, const void *nonce, if (res != TEE_SUCCESS) return res; + res = tee_mmu_check_access_rights(to_user_ta_ctx(sess->ctx), + TEE_MEMORY_ACCESS_READ | + TEE_MEMORY_ACCESS_ANY_OWNER, + (uaddr_t)nonce, nonce_len); + if (res != TEE_SUCCESS) + return res; + res = tee_svc_cryp_get_state(sess, tee_svc_uref_to_vaddr(state), &cs); if (res != TEE_SUCCESS) return res; |