On Tue, Nov 08, 2022 at 11:42:01AM +0530, Sumit Garg wrote:
Hi Greg,
On Mon, 22 Aug 2022 at 18:42, Jens Wiklander jens.wiklander@linaro.org wrote:
commit 573ae4f13f630d6660008f1974c0a8a29c30e18a upstream.
With special lengths supplied by user space, tee_shm_register() has an integer overflow when calculating the number of pages covered by a supplied user space memory region.
This may cause pin_user_pages_fast() to do a NULL pointer dereference.
Fix this by adding an an explicit call to access_ok() in tee_ioctl_shm_register() to catch an invalid user space address early.
Fixes: 033ddf12bcf5 ("tee: add register user memory") Cc: stable@vger.kernel.org # 5.4 Cc: stable@vger.kernel.org # 5.10 Reported-by: Nimish Mishra neelam.nimish@gmail.com Reported-by: Anirban Chakraborty ch.anirban00727@gmail.com Reported-by: Debdeep Mukhopadhyay debdeep.mukhopadhyay@gmail.com Suggested-by: Jerome Forissier jerome.forissier@linaro.org Signed-off-by: Linus Torvalds torvalds@linux-foundation.org [JW: backport to stable 5.4 and 5.10 + update commit message] Signed-off-by: Jens Wiklander jens.wiklander@linaro.org
drivers/tee/tee_core.c | 3 +++ 1 file changed, 3 insertions(+)
The v5.15 backport [1] for this fix has broken the kernel consumers for tee_shm_register(), the trusted keys driver is one of them reported here [2]. We need to fix that up with the following change [3]. Would you like to revert the backport and apply the correct one or should I prepare a fix patch for the following [3]?
A fixup patch is fine if needed, along with the description of why the backport was broken. Note, this commit went much further back than 5.15, so be sure to check older kernels too.
thanks,
greg k-h