diff options
author | Joakim Bech <joakim.bech@linaro.org> | 2018-09-27 10:30:20 +0200 |
---|---|---|
committer | Jérôme Forissier <jerome.forissier@linaro.org> | 2019-01-21 18:28:37 +0100 |
commit | 70697bf3c5dc3d201341b01a1a8e5bc6d2fb48f8 (patch) | |
tree | 32edd7e960e6afb5e2a583633f7a55936927240b /core/tee | |
parent | a637243270fc1faae16de059091795c32d86e65e (diff) |
svc: check for allocation overflow in crypto calls part 2
Without checking for overflow there is a risk of allocating a buffer
with size smaller than anticipated and as a consequence of that it might
lead to a heap based overflow with attacker controlled data written
outside the boundaries of the buffer.
Fixes: OP-TEE-2018-0011: "Integer overflow in crypto system calls (x2)"
Signed-off-by: Joakim Bech <joakim.bech@linaro.org>
Tested-by: Joakim Bech <joakim.bech@linaro.org> (QEMU v7, v8)
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reported-by: Riscure <inforequest@riscure.com>
Reported-by: Alyssa Milburn <a.a.milburn@vu.nl>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Diffstat (limited to 'core/tee')
-rw-r--r-- | core/tee/tee_svc_cryp.c | 14 |
1 files changed, 12 insertions, 2 deletions
diff --git a/core/tee/tee_svc_cryp.c b/core/tee/tee_svc_cryp.c index a5beb339..f60f3d24 100644 --- a/core/tee/tee_svc_cryp.c +++ b/core/tee/tee_svc_cryp.c @@ -3274,7 +3274,12 @@ TEE_Result syscall_asymm_operate(unsigned long state, if (res != TEE_SUCCESS) return res; - params = malloc(sizeof(TEE_Attribute) * num_params); + size_t alloc_size = 0; + + if (MUL_OVERFLOW(sizeof(TEE_Attribute), num_params, &alloc_size)) + return TEE_ERROR_OVERFLOW; + + params = malloc(alloc_size); if (!params) return TEE_ERROR_OUT_OF_MEMORY; res = copy_in_attrs(utc, usr_params, num_params, params); @@ -3436,7 +3441,12 @@ TEE_Result syscall_asymm_verify(unsigned long state, if (res != TEE_SUCCESS) return res; - params = malloc(sizeof(TEE_Attribute) * num_params); + size_t alloc_size = 0; + + if (MUL_OVERFLOW(sizeof(TEE_Attribute), num_params, &alloc_size)) + return TEE_ERROR_OVERFLOW; + + params = malloc(alloc_size); if (!params) return TEE_ERROR_OUT_OF_MEMORY; res = copy_in_attrs(utc, usr_params, num_params, params); |