mirrors
/
linux-stable
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
1
0
Fork 0
Code Issues Releases Wiki Activity
linux-stable/drivers
History
Jens Wiklander 2f8e79a1a6 tee: add overflow check in register_shm_helper() 
commit 573ae4f13f upstream.

With special lengths supplied by user space, register_shm_helper() has
an integer overflow when calculating the number of pages covered by a
supplied user space memory region.

This causes internal_get_user_pages_fast() a helper function of
pin_user_pages_fast() to do a NULL pointer dereference:

  Unable to handle kernel NULL pointer dereference at virtual address 0000000000000010
  Modules linked in:
  CPU: 1 PID: 173 Comm: optee_example_a Not tainted 5.19.0 #11
  Hardware name: QEMU QEMU Virtual Machine, BIOS 0.0.0 02/06/2015
  pc : internal_get_user_pages_fast+0x474/0xa80
  Call trace:
   internal_get_user_pages_fast+0x474/0xa80
   pin_user_pages_fast+0x24/0x4c
   register_shm_helper+0x194/0x330
   tee_shm_register_user_buf+0x78/0x120
   tee_ioctl+0xd0/0x11a0
   __arm64_sys_ioctl+0xa8/0xec
   invoke_syscall+0x48/0x114

Fix this by adding an an explicit call to access_ok() in
tee_shm_register_user_buf() to catch an invalid user space address
early.

Fixes: 033ddf12bc ("tee: add register user memory")
Cc: stable@vger.kernel.org
Reported-by: Nimish Mishra <neelam.nimish@gmail.com>
Reported-by: Anirban Chakraborty <ch.anirban00727@gmail.com>
Reported-by: Debdeep Mukhopadhyay <debdeep.mukhopadhyay@gmail.com>
Suggested-by: Jerome Forissier <jerome.forissier@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 		2022-08-21 15:18:56 +02:00
..
accessibility
acpi ACPI: CPPC: Do not prevent CPPC from working in the future 2022-08-17 14:42:28 +02:00
amba
android android: binder: stop saving a pointer to the VMA 2022-08-17 14:41:55 +02:00
ata ata: libata-core: fix NULL pointer deref in ata_host_alloc_pinfo() 2022-06-22 14:27:50 +02:00
atm
auxdisplay
base drivers/base: fix userspace break from using bin_attributes for cpumap and cpulist 2022-08-17 14:42:20 +02:00
bcma
block xen-blkfront: Apply 'feature_persistent' parameter when connect 2022-08-17 14:42:33 +02:00
bluetooth Bluetooth: Add default wakeup callback for HCI UART driver 2022-08-17 14:41:11 +02:00
bus bus: hisi_lpc: fix missing platform_device_put() in hisi_lpc_acpi_probe() 2022-08-17 14:40:35 +02:00
cdrom
char tpm: Add check for Failure mode for TPM2 modules 2022-08-17 14:42:32 +02:00
clk clk: qcom: gcc-msm8939: Fix weird field spacing in ftbl_gcc_camss_cci_clk 2022-08-17 14:41:50 +02:00
clocksource clocksource/drivers/ixp4xx: Drop boardfile probe path 2022-07-02 16:44:55 +02:00
comedi comedi: vmk80xx: fix expression for tx buffer size 2022-06-22 14:28:06 +02:00
connector
counter
cpufreq cpufreq: pmac32-cpufreq: Fix refcount leak bug 2022-07-22 10:21:48 +02:00
cpuidle cpuidle: riscv-sbi: Fix code to allow a genpd governor to be used 2022-06-09 10:30:18 +02:00
crypto crypto: hisilicon/sec - fix auth key size error 2022-08-17 14:41:14 +02:00
cxl cxl: Fix cleanup of port devices on failure to probe driver. 2022-07-12 16:42:16 +02:00
dax
dca
devfreq PM / devfreq: exynos-ppmu: Fix refcount leak in of_get_devfreq_events 2022-07-07 17:54:53 +02:00
dio
dma dmaengine: imx-dma: Cast of_device_get_match_data() with (uintptr_t) 2022-08-17 14:41:51 +02:00
dma-buf udmabuf: add back sanity check 2022-06-29 09:04:32 +02:00
edac EDAC/synopsys: Re-enable the error interrupts on v3 hw 2022-08-03 12:05:29 +02:00
eisa
extcon extcon: Modify extcon device to be created after driver data is set 2022-06-14 18:45:11 +02:00
firewire
firmware firmware: arm_scpi: Ensure scpi_info is not assigned if the probe fails 2022-08-17 14:42:21 +02:00
fpga fpga: altera-pr-ip: fix unsigned comparison with less than zero 2022-08-17 14:41:21 +02:00
fsi
gnss
gpio gpio: gpiolib-of: Fix refcount bugs in of_mm_gpiochip_add_data() 2022-08-17 14:41:51 +02:00
gpu drm/vc4: change vc4_dma_range_matches from a global to static 2022-08-17 14:42:36 +02:00
greybus
hid HID: amd_sfh: Handle condition of "no sensors" 2022-08-17 14:41:53 +02:00
hsi
hv Drivers: hv: vmbus: Release cpu lock in error case 2022-06-22 14:27:58 +02:00
hwmon hwmon: (drivetemp) Add module alias 2022-08-17 14:40:39 +02:00
hwspinlock
hwtracing intel_th: pci: Add Raptor Lake-S CPU support 2022-08-17 14:42:22 +02:00
i2c i2c: mux-gpmux: Add of_node_put() when breaking out of loop 2022-08-17 14:41:12 +02:00
i3c
idle intel_idle: make SPR C1 and C1E be independent 2022-08-17 14:42:27 +02:00
iio iio: adc: max1027: unlock on error path in max1027_read_single_value() 2022-08-17 14:41:51 +02:00
infiniband RDMA/rxe: Fix error unwind in rxe_create_qp() 2022-08-17 14:41:56 +02:00
input Input: gscps2 - check return value of ioremap() in gscps2_probe() 2022-08-17 14:42:20 +02:00
interconnect interconnect: imx: fix max_node_id 2022-08-17 14:41:49 +02:00
iommu iommu/vt-d: avoid invalid memory access via node_online(NUMA_NO_NODE) 2022-08-17 14:42:22 +02:00
ipack
irqchip irqchip/mips-gic: Check the return value of ioremap() in gic_of_init() 2022-08-17 14:40:22 +02:00
isdn net: remove noblock parameter from skb_recv_datagram() 2022-06-22 14:28:02 +02:00
leds
macintosh macintosh/adb: fix oob read in do_adb_query() function 2022-08-11 13:20:44 +02:00
mailbox mailbox: forward the hrtimer if not queued and under a lock 2022-06-09 10:30:33 +02:00
mcb
md dm raid: fix address sanitizer warning in raid_resume 2022-08-17 14:42:29 +02:00
media media: amphion: only insert the first sequence startcode for vc1l format 2022-08-17 14:41:02 +02:00
memory memory: samsung: exynos5422-dmc: Fix refcount leak in of_get_dram_timings 2022-06-29 09:04:42 +02:00
memstick memstick/ms_block: Fix a memory leak 2022-08-17 14:41:46 +02:00
message
mfd mfd: max77620: Fix refcount leak in max77620_initialise_fps 2022-08-17 14:42:07 +02:00
misc eeprom: idt_89hpesx: uninitialized data in idt_dbgfs_csr_write() 2022-08-17 14:41:48 +02:00
mmc mmc: cavium-thunderx: Add of_node_put() when breaking out of loop 2022-08-17 14:41:52 +02:00
most
mtd mtd: spi-nor: fix spi_nor_spimem_setup_op() call in spi_nor_erase_{sector,chip}() 2022-08-17 14:41:53 +02:00
mux
net net: phy: smsc: Disable Energy Detect Power-Down in interrupt mode 2022-08-17 14:42:35 +02:00
nfc NFC: nxp-nci: don't print header length mismatch on i2c error 2022-07-22 10:21:49 +02:00
ntb
nubus
nvdimm nvdimm: Fix badblocks clear off-by-one error 2022-07-07 17:54:45 +02:00
nvme block: add a bdev_max_zone_append_sectors helper 2022-08-17 14:42:25 +02:00
nvmem
of of/fdt: declared return type does not match actual return type 2022-08-17 14:41:56 +02:00
opp opp: Fix error check in dev_pm_opp_attach_genpd() 2022-08-17 14:41:58 +02:00
parisc parisc: Check the return value of ioremap() in lba_driver_probe() 2022-08-17 14:40:09 +02:00
parport
pci PCI: qcom: Power on PHY before IPQ8074 DBI register accesses 2022-08-17 14:42:22 +02:00
pcmcia pcmcia: db1xxx_ss: restrict to MIPS_DB1XXX boards 2022-06-14 18:44:44 +02:00
peci
perf drivers/perf: arm_spe: Fix consistency of SYS_PMSCR_EL1.CX 2022-08-17 14:40:41 +02:00
phy phy: rockchip-inno-usb2: Ignore OTG IRQs in host mode 2022-08-17 14:41:48 +02:00
pinctrl pinctrl: Don't allow PINCTRL_AMD to be a module 2022-08-17 14:40:26 +02:00
platform platform/olpc: Fix uninitialized data in debugfs write 2022-08-17 14:41:54 +02:00
pnp
power power/reset: arm-versatile: Fix refcount leak in versatile_reboot_probe 2022-07-29 17:27:58 +02:00
powercap
pps
ps3
ptp ptp: ocp: change sysfs attr group handling 2022-05-18 21:44:37 -07:00
pwm pwm: lpc18xx: Fix period handling 2022-08-17 14:40:43 +02:00
rapidio
ras
regulator regulator: of: Fix refcount leak bug in of_get_regulation_constraints() 2022-08-17 14:40:40 +02:00
remoteproc remoteproc: sysmon: Wait for SSCTL service to come up 2022-08-17 14:42:07 +02:00
reset
rpmsg rpmsg: qcom_smd: Fix refcount leak in qcom_smd_parse_edge 2022-08-17 14:42:06 +02:00
rtc rtc: rx8025: fix 12/24 hour mode detection on RX-8035 2022-08-17 14:40:11 +02:00
s390 scsi: zfcp: Fix missing auto port scan and thus missing target ports 2022-08-17 14:42:17 +02:00
sbus
scsi scsi: qla2xxx: Fix losing FCP-2 targets during port perturbation tests 2022-08-17 14:42:19 +02:00
sh
siox
slimbus slimbus: qcom: Fix IRQ check in qcom_slim_probe 2022-05-09 16:00:20 +02:00
soc soc: qcom: socinfo: Fix the id of SA8540P SoC 2022-08-17 14:40:40 +02:00
soundwire soundwire: revisit driver bind/unbind and callbacks 2022-08-17 14:41:44 +02:00
spi spi: tegra20-slink: fix UAF in tegra_slink_remove() 2022-08-17 14:40:38 +02:00
spmi
ssb
staging staging: fbtft: core: set smem_len before fb_deferred_io_init call 2022-08-17 14:41:53 +02:00
target target: remove an incorrect unmap zeroes data deduction 2022-06-09 10:29:59 +02:00
tc
tee tee: add overflow check in register_shm_helper() 2022-08-21 15:18:56 +02:00
thermal thermal: sysfs: Fix cooling_device_stats_setup() error code path 2022-08-17 14:40:08 +02:00
thunderbolt thunderbolt: Use different lane for second DisplayPort tunnel 2022-06-14 18:45:09 +02:00
tty tty: 8250: Add support for Brainboxes PX cards. 2022-08-17 14:42:23 +02:00
uio
usb usb: cdns3: Don't use priv_dev uninitialized in cdns3_gadget_ep_enable() 2022-08-17 14:41:57 +02:00
vdpa vduse: Tie vduse mgmtdev and its device 2022-07-22 10:21:46 +02:00
vfio vfio/pci: Have all VFIO PCI drivers store the vfio_pci_core_device in drvdata 2022-08-17 14:42:01 +02:00
vhost vringh: Fix loop descriptors check in the indirect cases 2022-06-14 18:45:15 +02:00
video video: fbdev: s3fb: Check the size of screen before memset_io() 2022-08-17 14:42:17 +02:00
virt
virtio virtio_mmio: Restore guest page size on resume 2022-07-22 10:21:47 +02:00
visorbus
vlynq
vme
w1
watchdog watchdog: armada_37xx_wdt: check the return value of devm_ioremap() in armada_37xx_wdt_probe() 2022-08-17 14:42:10 +02:00
xen xen/gntdev: Ignore failure to unmap INVALID_GRANT_HANDLE 2022-07-22 10:21:34 +02:00
zorro
Kconfig
Makefile