OP-TEE: fix operate user pointer bug in optee driver

Fix operate user pointer bug which causes panic in kernel. Change-Id: I7fcf74fb68dd0959e5ba64635c614f954d065281 Signed-off-by: Zhang Zhijie <zhangzj@rock-chips.com>
2017-04-18 15:40:59 +08:00 · 2017-04-18 15:40:59 +08:00 · 49b641fab1
commit 49b641fab1
parent 0d8cf581f9
1 changed files with 11 additions and 7 deletions
--- a/security/optee_linuxdriver/core/tee_session.c
+++ b/security/optee_linuxdriver/core/tee_session.c
@ -676,6 +676,7 @@ static void _update_client_tee_cmd(struct tee_session *sess,
 {
 	int idx;
 	struct tee_context *ctx;
+	TEEC_Operation op;

 	BUG_ON(!cmd_io);
 	BUG_ON(!cmd_io->op);
@ -694,6 +695,9 @@ static void _update_client_tee_cmd(struct tee_session *sess,
 			TEEC_NONE, TEEC_NONE, TEEC_NONE))
 		return;

+	if (tee_context_copy_from_client(ctx, &op, cmd_io->op, sizeof(op)))
+		return;
+
 	for (idx = 0; idx < TEEC_CONFIG_PAYLOAD_REF_COUNT; ++idx) {
 		int type = TEEC_PARAM_TYPE_GET(cmd->param.type_original, idx);
 		int offset = 0;
@ -728,11 +732,11 @@ static void _update_client_tee_cmd(struct tee_session *sess,
 			/* Returned updated size */
 			size_new = cmd->param.params[idx].shm->size_req;
 			if (size_new !=
-				cmd_io->op->params[idx].tmpref.size) {
+				op.params[idx].tmpref.size) {
 				dev_dbg(_DEV_TEE,
 					"Size has been updated by the TA %zd != %zd\n",
 					size_new,
-					cmd_io->op->params[idx].tmpref.size);
+					op.params[idx].tmpref.size);
 				tee_put_user(ctx, size_new,
 				     &cmd_io->op->params[idx].tmpref.size);
 			}
@ -741,15 +745,15 @@ static void _update_client_tee_cmd(struct tee_session *sess,
 				cmd->param.params[idx].shm->kaddr);

 			/* ensure we do not exceed the shared buffer length */
-			if (size_new > cmd_io->op->params[idx].tmpref.size)
+			if (size_new > op.params[idx].tmpref.size)
 				dev_err(_DEV_TEE,
 					"  *** Wrong returned size from %d:%zd > %zd\n",
 					idx, size_new,
-					cmd_io->op->params[idx].tmpref.size);
+					op.params[idx].tmpref.size);

 			else if (tee_copy_to_user
 				 (ctx,
-				  cmd_io->op->params[idx].tmpref.buffer,
+				  op.params[idx].tmpref.buffer,
 				  cmd->param.params[idx].shm->kaddr,
 				  size_new))
 				dev_err(_DEV_TEE,
@ -765,8 +769,8 @@ static void _update_client_tee_cmd(struct tee_session *sess,
 				offset = 0;
 				size = parent->size;
 			} else {
-				offset = cmd_io->op->params[idx].memref.offset;
-				size = cmd_io->op->params[idx].memref.size;
+				offset = op.params[idx].memref.offset;
+				size = op.params[idx].memref.size;
 			}

 			/* Returned updated size */