diff options
author | Jerome Forissier <jerome.forissier@linaro.org> | 2019-02-05 15:49:50 +0100 |
---|---|---|
committer | Jérôme Forissier <jerome.forissier@linaro.org> | 2019-02-25 14:23:58 +0100 |
commit | bd81e5b95ec910e9e3fa9f1824f3981288af5d50 (patch) | |
tree | b7bfe79345cc1d5a1dc86218d8c3024f192014b1 /core | |
parent | 3bcb882f200c2dd14ea1937031d5bd97bf6a78ca (diff) |
core: crypto: add overflow check when copying attributes
In copy_in_attrs(), attr_count * sizeof(struct utee_attribute) could
overflow if a very large attr_count is given. Use MUL_OVERFLOW() to
properly deal with this case.
Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reported-by: Bastien Simondi <bsimondi@netflix.com> [2.9]
Reviewed-by: Joakim Bech <joakim.bech@linaro.org>
Diffstat (limited to 'core')
-rw-r--r-- | core/tee/tee_svc_cryp.c | 7 |
1 files changed, 5 insertions, 2 deletions
diff --git a/core/tee/tee_svc_cryp.c b/core/tee/tee_svc_cryp.c index 7420ca86..b6012460 100644 --- a/core/tee/tee_svc_cryp.c +++ b/core/tee/tee_svc_cryp.c @@ -1332,11 +1332,14 @@ static TEE_Result copy_in_attrs(struct user_ta_ctx *utc, { TEE_Result res; uint32_t n; + size_t size = 0; + + if (MUL_OVERFLOW(sizeof(struct utee_attribute), attr_count, &size)) + return TEE_ERROR_OVERFLOW; res = tee_mmu_check_access_rights(utc, TEE_MEMORY_ACCESS_READ | TEE_MEMORY_ACCESS_ANY_OWNER, - (uaddr_t)usr_attrs, - attr_count * sizeof(struct utee_attribute)); + (uaddr_t)usr_attrs, size); if (res != TEE_SUCCESS) return res; |