mirror of
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
synced 2024-09-27 21:03:32 +00:00
tee: fix memory leak in tee_shm_register()
Moves the access_ok() check for valid memory range from user space from
the function tee_shm_register() to tee_ioctl_shm_register(). With this
we error out early before anything is done that must be undone on error.
Fixes: 578c349570
("tee: add overflow check in register_shm_helper()")
Cc: stable@vger.kernel.org # 5.10
Reported-by: Pavel Machek <pavel@denx.de>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
This commit is contained in:
parent
3527e3cbb8
commit
606fe84a41
2 changed files with 3 additions and 3 deletions
|
@ -334,6 +334,9 @@ tee_ioctl_shm_register(struct tee_context *ctx,
|
|||
if (data.flags)
|
||||
return -EINVAL;
|
||||
|
||||
if (!access_ok((void __user *)(unsigned long)data.addr, data.length))
|
||||
return -EFAULT;
|
||||
|
||||
shm = tee_shm_register(ctx, data.addr, data.length,
|
||||
TEE_SHM_DMA_BUF | TEE_SHM_USER_MAPPED);
|
||||
if (IS_ERR(shm))
|
||||
|
|
|
@ -222,9 +222,6 @@ struct tee_shm *tee_shm_register(struct tee_context *ctx, unsigned long addr,
|
|||
goto err;
|
||||
}
|
||||
|
||||
if (!access_ok((void __user *)addr, length))
|
||||
return ERR_PTR(-EFAULT);
|
||||
|
||||
mutex_lock(&teedev->mutex);
|
||||
shm->id = idr_alloc(&teedev->idr, shm, 1, 0, GFP_KERNEL);
|
||||
mutex_unlock(&teedev->mutex);
|
||||
|
|
Loading…
Reference in a new issue