diff options
author | Joakim Bech <joakim.bech@linaro.org> | 2018-09-27 10:15:53 +0200 |
---|---|---|
committer | Jérôme Forissier <jerome.forissier@linaro.org> | 2019-01-21 18:28:37 +0100 |
commit | b60e1cee406a1ff521145ab9534370dfb85dd592 (patch) | |
tree | b329a15a74208483f83f0320014f49c497c4e563 /core/tee | |
parent | 8f58cdbe41688b6d8a5e8b06bfaef1b64c51309f (diff) |
svc: check for allocation overflow in syscall_cryp_obj_populate
Without checking for overflow there is a risk of allocating a buffer
with size smaller than anticipated and as a consequence of that it might
lead to a heap based overflow with attacker controlled data written
outside the boundaries of the buffer.
Fixes: OP-TEE-2018-0009: "Integer overflow in crypto system calls"
Signed-off-by: Joakim Bech <joakim.bech@linaro.org>
Tested-by: Joakim Bech <joakim.bech@linaro.org> (QEMU v7, v8)
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reported-by: Riscure <inforequest@riscure.com>
Reported-by: Alyssa Milburn <a.a.milburn@vu.nl>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Diffstat (limited to 'core/tee')
-rw-r--r-- | core/tee/tee_svc_cryp.c | 9 |
1 files changed, 8 insertions, 1 deletions
diff --git a/core/tee/tee_svc_cryp.c b/core/tee/tee_svc_cryp.c index b47a45dd..6fac6661 100644 --- a/core/tee/tee_svc_cryp.c +++ b/core/tee/tee_svc_cryp.c @@ -4,6 +4,7 @@ */ #include <assert.h> +#include <compiler.h> #include <crypto/crypto.h> #include <kernel/tee_ta_manager.h> #include <mm/tee_mmu.h> @@ -1547,9 +1548,15 @@ TEE_Result syscall_cryp_obj_populate(unsigned long obj, if (!type_props) return TEE_ERROR_NOT_IMPLEMENTED; - attrs = malloc(sizeof(TEE_Attribute) * attr_count); + size_t alloc_size = 0; + + if (MUL_OVERFLOW(sizeof(TEE_Attribute), attr_count, &alloc_size)) + return TEE_ERROR_OVERFLOW; + + attrs = malloc(alloc_size); if (!attrs) return TEE_ERROR_OUT_OF_MEMORY; + res = copy_in_attrs(to_user_ta_ctx(sess->ctx), usr_attrs, attr_count, attrs); if (res != TEE_SUCCESS) |