core: crypto: add overflow check when copying attributes

In copy_in_attrs(), attr_count * sizeof(struct utee_attribute) could overflow if a very large attr_count is given. Use MUL_OVERFLOW() to properly deal with this case. Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org> Reported-by: Bastien Simondi <bsimondi@netflix.com> [2.9] Reviewed-by: Joakim Bech <joakim.bech@linaro.org>
author: Jerome Forissier <jerome.forissier@linaro.org> 2019-02-05 15:49:50 +0100
committer: Jérôme Forissier <jerome.forissier@linaro.org> 2019-02-25 14:23:58 +0100
commit: bd81e5b95ec910e9e3fa9f1824f3981288af5d50 (patch)
tree: b7bfe79345cc1d5a1dc86218d8c3024f192014b1 /core
parent: 3bcb882f200c2dd14ea1937031d5bd97bf6a78ca (diff)
1 files changed, 5 insertions, 2 deletions
diff --git a/core/tee/tee_svc_cryp.c b/core/tee/tee_svc_cryp.c
index 7420ca86..b6012460 100644
--- a/core/tee/tee_svc_cryp.c
+++ b/core/tee/tee_svc_cryp.c
@@ -1332,11 +1332,14 @@ static TEE_Result copy_in_attrs(struct user_ta_ctx *utc,
 {
 	TEE_Result res;
 	uint32_t n;
+	size_t size = 0;
+
+	if (MUL_OVERFLOW(sizeof(struct utee_attribute), attr_count, &size))
+		return TEE_ERROR_OVERFLOW;
 
 	res = tee_mmu_check_access_rights(utc,
 			TEE_MEMORY_ACCESS_READ | TEE_MEMORY_ACCESS_ANY_OWNER,
-			(uaddr_t)usr_attrs,
-			attr_count * sizeof(struct utee_attribute));
+			(uaddr_t)usr_attrs, size);
 	if (res != TEE_SUCCESS)
 		return res;
author	Jerome Forissier <jerome.forissier@linaro.org>	2019-02-05 15:49:50 +0100
committer	Jérôme Forissier <jerome.forissier@linaro.org>	2019-02-25 14:23:58 +0100
commit	bd81e5b95ec910e9e3fa9f1824f3981288af5d50 (patch)
tree	b7bfe79345cc1d5a1dc86218d8c3024f192014b1 /core
parent	3bcb882f200c2dd14ea1937031d5bd97bf6a78ca (diff)