core: syscall_authenc_init(): check nonce accessibility

syscall_authenc_init() does not check that the given nonce address is within TA accessible memory. Fix that. Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org> Reported-by: Bastien Simondi <bsimondi@netflix.com> [2.10] Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org> Reviewed-by: Joakim Bech <joakim.bech@linaro.org>
author: Jerome Forissier <jerome.forissier@linaro.org> 2019-02-05 17:41:23 +0100
committer: Jérôme Forissier <jerome.forissier@linaro.org> 2019-02-25 14:23:58 +0100
commit: 06aa9a9b4117a045197c39ba9754422ce0593c0f (patch)
tree: 26f87823a5fa02d52e1d9b3f2c8eb7d5704d24a3 /core/tee
parent: bd81e5b95ec910e9e3fa9f1824f3981288af5d50 (diff)
1 files changed, 7 insertions, 0 deletions
diff --git a/core/tee/tee_svc_cryp.c b/core/tee/tee_svc_cryp.c
index b6012460..46879ab8 100644
--- a/core/tee/tee_svc_cryp.c
+++ b/core/tee/tee_svc_cryp.c
@@ -2957,6 +2957,13 @@ TEE_Result syscall_authenc_init(unsigned long state, const void *nonce,
 	if (res != TEE_SUCCESS)
 		return res;
 
+	res = tee_mmu_check_access_rights(to_user_ta_ctx(sess->ctx),
+					  TEE_MEMORY_ACCESS_READ |
+					  TEE_MEMORY_ACCESS_ANY_OWNER,
+					  (uaddr_t)nonce, nonce_len);
+	if (res != TEE_SUCCESS)
+		return res;
+
 	res = tee_svc_cryp_get_state(sess, tee_svc_uref_to_vaddr(state), &cs);
 	if (res != TEE_SUCCESS)
 		return res;
author	Jerome Forissier <jerome.forissier@linaro.org>	2019-02-05 17:41:23 +0100
committer	Jérôme Forissier <jerome.forissier@linaro.org>	2019-02-25 14:23:58 +0100
commit	06aa9a9b4117a045197c39ba9754422ce0593c0f (patch)
tree	26f87823a5fa02d52e1d9b3f2c8eb7d5704d24a3 /core/tee
parent	bd81e5b95ec910e9e3fa9f1824f3981288af5d50 (diff)