mirrors
/
linux-stable
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
1
0
Fork 0
Code Issues Releases Wiki Activity
linux-stable/drivers
History
Jens Wiklander 2f8e79a1a6 tee: add overflow check in register_shm_helper() 
commit 573ae4f13f upstream.

With special lengths supplied by user space, register_shm_helper() has
an integer overflow when calculating the number of pages covered by a
supplied user space memory region.

This causes internal_get_user_pages_fast() a helper function of
pin_user_pages_fast() to do a NULL pointer dereference:

  Unable to handle kernel NULL pointer dereference at virtual address 0000000000000010
  Modules linked in:
  CPU: 1 PID: 173 Comm: optee_example_a Not tainted 5.19.0 #11
  Hardware name: QEMU QEMU Virtual Machine, BIOS 0.0.0 02/06/2015
  pc : internal_get_user_pages_fast+0x474/0xa80
  Call trace:
   internal_get_user_pages_fast+0x474/0xa80
   pin_user_pages_fast+0x24/0x4c
   register_shm_helper+0x194/0x330
   tee_shm_register_user_buf+0x78/0x120
   tee_ioctl+0xd0/0x11a0
   __arm64_sys_ioctl+0xa8/0xec
   invoke_syscall+0x48/0x114

Fix this by adding an an explicit call to access_ok() in
tee_shm_register_user_buf() to catch an invalid user space address
early.

Fixes: 033ddf12bc ("tee: add register user memory")
Cc: stable@vger.kernel.org
Reported-by: Nimish Mishra <neelam.nimish@gmail.com>
Reported-by: Anirban Chakraborty <ch.anirban00727@gmail.com>
Reported-by: Debdeep Mukhopadhyay <debdeep.mukhopadhyay@gmail.com>
Suggested-by: Jerome Forissier <jerome.forissier@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 		2022-08-21 15:18:56 +02:00
..
accessibility Linux 5.17-rc4 2022-02-14 09:00:38 +01:00
acpi ACPI: CPPC: Do not prevent CPPC from working in the future 2022-08-17 14:42:28 +02:00
amba ARM: 9174/1: amba: Move EXPORT_SYMBOL() closer to definition 2022-02-28 13:59:18 +00:00
android android: binder: stop saving a pointer to the VMA 2022-08-17 14:41:55 +02:00
ata ata: libata-core: fix NULL pointer deref in ata_host_alloc_pinfo() 2022-06-22 14:27:50 +02:00
atm Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2022-03-17 13:56:58 -07:00
auxdisplay auxdisplay: lcd2s: Use array size explicitly in lcd2s_gotoxy() 2022-03-18 20:31:14 +01:00
base drivers/base: fix userspace break from using bin_attributes for cpumap and cpulist 2022-08-17 14:42:20 +02:00
bcma Core MTD changes: 2022-03-25 13:35:34 -07:00
block xen-blkfront: Apply 'feature_persistent' parameter when connect 2022-08-17 14:42:33 +02:00
bluetooth Bluetooth: Add default wakeup callback for HCI UART driver 2022-08-17 14:41:11 +02:00
bus bus: hisi_lpc: fix missing platform_device_put() in hisi_lpc_acpi_probe() 2022-08-17 14:40:35 +02:00
cdrom cdrom: remove unused variable 2022-04-06 08:47:52 -06:00
char tpm: Add check for Failure mode for TPM2 modules 2022-08-17 14:42:32 +02:00
clk clk: qcom: gcc-msm8939: Fix weird field spacing in ftbl_gcc_camss_cci_clk 2022-08-17 14:41:50 +02:00
clocksource clocksource/drivers/ixp4xx: Drop boardfile probe path 2022-07-02 16:44:55 +02:00
comedi comedi: vmk80xx: fix expression for tx buffer size 2022-06-22 14:28:06 +02:00
connector connector/cn_proc: Use task_is_in_init_pid_ns() 2022-01-26 18:57:09 -08:00
counter Char/Misc and other driver updates for 5.18-rc1 2022-03-28 12:27:35 -07:00
cpufreq cpufreq: pmac32-cpufreq: Fix refcount leak bug 2022-07-22 10:21:48 +02:00
cpuidle cpuidle: riscv-sbi: Fix code to allow a genpd governor to be used 2022-06-09 10:30:18 +02:00
crypto crypto: hisilicon/sec - fix auth key size error 2022-08-17 14:41:14 +02:00
cxl cxl: Fix cleanup of port devices on failure to probe driver. 2022-07-12 16:42:16 +02:00
dax dax for 5.18 2022-03-24 18:12:09 -07:00
dca dca: Use PTR_ERR_OR_ZERO() to simplify code 2020-05-15 16:25:20 +02:00
devfreq PM / devfreq: exynos-ppmu: Fix refcount leak in of_get_devfreq_events 2022-07-07 17:54:53 +02:00
dio drivers: dio: Missing a blank line after declarations 2022-02-04 16:45:39 +01:00
dma dmaengine: imx-dma: Cast of_device_get_match_data() with (uintptr_t) 2022-08-17 14:41:51 +02:00
dma-buf udmabuf: add back sanity check 2022-06-29 09:04:32 +02:00
edac EDAC/synopsys: Re-enable the error interrupts on v3 hw 2022-08-03 12:05:29 +02:00
eisa EISA: use DEVICE_ATTR_RO() helper macro 2021-06-04 15:28:34 +02:00
extcon extcon: Modify extcon device to be created after driver data is set 2022-06-14 18:45:11 +02:00
firewire firewire: core: extend card->lock in fw_core_handle_bus_reset 2022-04-25 08:01:09 +02:00
firmware firmware: arm_scpi: Ensure scpi_info is not assigned if the probe fails 2022-08-17 14:42:21 +02:00
fpga fpga: altera-pr-ip: fix unsigned comparison with less than zero 2022-08-17 14:41:21 +02:00
fsi FSI changes for v5.18 2022-02-21 17:47:42 +01:00
gnss gnss: usb: add support for Sierra Wireless XM1210 2021-12-22 15:38:12 +01:00
gpio gpio: gpiolib-of: Fix refcount bugs in of_mm_gpiochip_add_data() 2022-08-17 14:41:51 +02:00
gpu drm/vc4: change vc4_dma_range_matches from a global to static 2022-08-17 14:42:36 +02:00
greybus greybus: svc: clean up link configuration hack at hello 2022-02-04 15:27:44 +01:00
hid HID: amd_sfh: Handle condition of "no sensors" 2022-08-17 14:41:53 +02:00
hsi HSI: core: Fix return freed object in hsi_new_client 2021-11-26 00:27:06 +01:00
hv Drivers: hv: vmbus: Release cpu lock in error case 2022-06-22 14:27:58 +02:00
hwmon hwmon: (drivetemp) Add module alias 2022-08-17 14:40:39 +02:00
hwspinlock hwspinlock: sprd: Use struct_size() helper in devm_kzalloc() 2022-03-11 14:56:57 -06:00
hwtracing intel_th: pci: Add Raptor Lake-S CPU support 2022-08-17 14:42:22 +02:00
i2c i2c: mux-gpmux: Add of_node_put() when breaking out of loop 2022-08-17 14:41:12 +02:00
i3c i3c: fix uninitialized variable use in i2c setup 2022-03-08 22:33:52 +01:00
idle intel_idle: make SPR C1 and C1E be independent 2022-08-17 14:42:27 +02:00
iio iio: adc: max1027: unlock on error path in max1027_read_single_value() 2022-08-17 14:41:51 +02:00
infiniband RDMA/rxe: Fix error unwind in rxe_create_qp() 2022-08-17 14:41:56 +02:00
input Input: gscps2 - check return value of ioremap() in gscps2_probe() 2022-08-17 14:42:20 +02:00
interconnect interconnect: imx: fix max_node_id 2022-08-17 14:41:49 +02:00
iommu iommu/vt-d: avoid invalid memory access via node_online(NUMA_NO_NODE) 2022-08-17 14:42:22 +02:00
ipack ipack: ipoctal: rename tty-driver pointer 2021-10-04 11:21:24 +02:00
irqchip irqchip/mips-gic: Check the return value of ioremap() in gic_of_init() 2022-08-17 14:40:22 +02:00
isdn net: remove noblock parameter from skb_recv_datagram() 2022-06-22 14:28:02 +02:00
leds LED updates for 5.18-rc1. Nothing major here, there are two drivers 2022-03-27 14:09:48 -07:00
macintosh macintosh/adb: fix oob read in do_adb_query() function 2022-08-11 13:20:44 +02:00
mailbox mailbox: forward the hrtimer if not queued and under a lock 2022-06-09 10:30:33 +02:00
mcb mcb: fix error handling in mcb_alloc_bus() 2021-09-14 11:22:26 +02:00
md dm raid: fix address sanitizer warning in raid_resume 2022-08-17 14:42:29 +02:00
media media: amphion: only insert the first sequence startcode for vc1l format 2022-08-17 14:41:02 +02:00
memory memory: samsung: exynos5422-dmc: Fix refcount leak in of_get_dram_timings 2022-06-29 09:04:42 +02:00
memstick memstick/ms_block: Fix a memory leak 2022-08-17 14:41:46 +02:00
message scsi: message: fusion: Remove redundant variable dmp 2022-04-06 22:28:07 -04:00
mfd mfd: max77620: Fix refcount leak in max77620_initialise_fps 2022-08-17 14:42:07 +02:00
misc eeprom: idt_89hpesx: uninitialized data in idt_dbgfs_csr_write() 2022-08-17 14:41:48 +02:00
mmc mmc: cavium-thunderx: Add of_node_put() when breaking out of loop 2022-08-17 14:41:52 +02:00
most most: usb: replace snprintf in show functions with sysfs_emit 2021-11-26 17:03:47 +01:00
mtd mtd: spi-nor: fix spi_nor_spimem_setup_op() call in spi_nor_erase_{sector,chip}() 2022-08-17 14:41:53 +02:00
mux mux: Fix struct mux_state kernel-doc comment 2022-02-04 15:47:12 +01:00
net net: phy: smsc: Disable Energy Detect Power-Down in interrupt mode 2022-08-17 14:42:35 +02:00
nfc NFC: nxp-nci: don't print header length mismatch on i2c error 2022-07-22 10:21:49 +02:00
ntb ntb: intel: fix port config status offset for SPR 2022-01-28 10:19:16 -05:00
nubus proc: remove PDE_DATA() completely 2022-01-22 08:33:37 +02:00
nvdimm nvdimm: Fix badblocks clear off-by-one error 2022-07-07 17:54:45 +02:00
nvme block: add a bdev_max_zone_append_sectors helper 2022-08-17 14:42:25 +02:00
nvmem nvmem: brcm_nvram: parse NVRAM content into NVMEM cells 2022-03-18 14:08:36 +01:00
of of/fdt: declared return type does not match actual return type 2022-08-17 14:41:56 +02:00
opp opp: Fix error check in dev_pm_opp_attach_genpd() 2022-08-17 14:41:58 +02:00
parisc parisc: Check the return value of ioremap() in lba_driver_probe() 2022-08-17 14:40:09 +02:00
parport parport_pc: Also enable driver for PCI systems 2022-03-18 14:01:41 +01:00
pci PCI: qcom: Power on PHY before IPQ8074 DBI register accesses 2022-08-17 14:42:22 +02:00
pcmcia pcmcia: db1xxx_ss: restrict to MIPS_DB1XXX boards 2022-06-14 18:44:44 +02:00
peci peci: Add peci-cpu driver 2022-02-09 08:04:44 +01:00
perf drivers/perf: arm_spe: Fix consistency of SYS_PMSCR_EL1.CX 2022-08-17 14:40:41 +02:00
phy phy: rockchip-inno-usb2: Ignore OTG IRQs in host mode 2022-08-17 14:41:48 +02:00
pinctrl pinctrl: Don't allow PINCTRL_AMD to be a module 2022-08-17 14:40:26 +02:00
platform platform/olpc: Fix uninitialized data in debugfs write 2022-08-17 14:41:54 +02:00
pnp PNP update for 5.18-rc1 2022-03-21 14:46:01 -07:00
power power/reset: arm-versatile: Fix refcount leak in versatile_reboot_probe 2022-07-29 17:27:58 +02:00
powercap powercap: DTPM: Fix spelling mistake "initialze" -> "initialize" 2022-03-01 18:59:35 +01:00
pps pps: generators: pps_gen_parport: Switch to use module_parport_driver() 2022-03-18 14:01:19 +01:00
ps3 powerpc/ps3: Warn on PS3 device errors 2021-06-10 21:44:58 +10:00
ptp ptp: ocp: change sysfs attr group handling 2022-05-18 21:44:37 -07:00
pwm pwm: lpc18xx: Fix period handling 2022-08-17 14:40:43 +02:00
rapidio rapidio/tsi721: Remove usage of the deprecated "pci-dma-compat.h" API 2022-02-25 17:19:21 +01:00
ras RAS/CEC: Remove a repeated 'an' in a comment 2021-12-11 11:55:27 +01:00
regulator regulator: of: Fix refcount leak bug in of_get_regulation_constraints() 2022-08-17 14:40:40 +02:00
remoteproc remoteproc: sysmon: Wait for SSCTL service to come up 2022-08-17 14:42:07 +02:00
reset reset: tegra-bpmp: Restore Handle errors in BPMP response 2022-04-04 11:14:13 +02:00
rpmsg rpmsg: qcom_smd: Fix refcount leak in qcom_smd_parse_edge 2022-08-17 14:42:06 +02:00
rtc rtc: rx8025: fix 12/24 hour mode detection on RX-8035 2022-08-17 14:40:11 +02:00
s390 scsi: zfcp: Fix missing auto port scan and thus missing target ports 2022-08-17 14:42:17 +02:00
sbus module: remove never implemented MODULE_SUPPORTED_DEVICE 2021-03-17 13:16:18 -07:00
scsi scsi: qla2xxx: Fix losing FCP-2 targets during port perturbation tests 2022-08-17 14:42:19 +02:00
sh maple: fix wrong return value of maple_bus_init(). 2021-09-17 14:00:09 -04:00
siox bus: Make remove callback return void 2021-07-21 11:53:42 +02:00
slimbus slimbus: qcom: Fix IRQ check in qcom_slim_probe 2022-05-09 16:00:20 +02:00
soc soc: qcom: socinfo: Fix the id of SA8540P SoC 2022-08-17 14:40:40 +02:00
soundwire soundwire: revisit driver bind/unbind and callbacks 2022-08-17 14:41:44 +02:00
spi spi: tegra20-slink: fix UAF in tegra_slink_remove() 2022-08-17 14:40:38 +02:00
spmi spmi: spmi-pmic-arb: fix irq_set_type race condition 2021-12-17 17:18:18 +01:00
ssb ssb: Use dev_driver_string() instead of pci_dev->driver->name 2021-10-12 17:50:12 -05:00
staging staging: fbtft: core: set smem_len before fb_deferred_io_init call 2022-08-17 14:41:53 +02:00
target target: remove an incorrect unmap zeroes data deduction 2022-06-09 10:29:59 +02:00
tc The main MIPS changes for 5.6: 2020-01-31 11:28:31 -08:00
tee tee: add overflow check in register_shm_helper() 2022-08-21 15:18:56 +02:00
thermal thermal: sysfs: Fix cooling_device_stats_setup() error code path 2022-08-17 14:40:08 +02:00
thunderbolt thunderbolt: Use different lane for second DisplayPort tunnel 2022-06-14 18:45:09 +02:00
tty tty: 8250: Add support for Brainboxes PX cards. 2022-08-17 14:42:23 +02:00
uio UIO: use default_groups in kobj_type 2021-12-29 10:54:50 +01:00
usb usb: cdns3: Don't use priv_dev uninitialized in cdns3_gadget_ep_enable() 2022-08-17 14:41:57 +02:00
vdpa vduse: Tie vduse mgmtdev and its device 2022-07-22 10:21:46 +02:00
vfio vfio/pci: Have all VFIO PCI drivers store the vfio_pci_core_device in drvdata 2022-08-17 14:42:01 +02:00
vhost vringh: Fix loop descriptors check in the indirect cases 2022-06-14 18:45:15 +02:00
video video: fbdev: s3fb: Check the size of screen before memset_io() 2022-08-17 14:42:17 +02:00
virt Random number generator fixes for Linux 5.18-rc1. 2022-03-31 14:51:34 -07:00
virtio virtio_mmio: Restore guest page size on resume 2022-07-22 10:21:47 +02:00
visorbus treewide: Replace zero-length arrays with flexible-array members 2022-02-17 07:00:39 -06:00
vlynq bus: Make remove callback return void 2021-07-21 11:53:42 +02:00
vme bus: Make remove callback return void 2021-07-21 11:53:42 +02:00
w1 w1: w1_therm: Add support for Maxim MAX31850 thermoelement IF. 2022-03-18 14:07:09 +01:00
watchdog watchdog: armada_37xx_wdt: check the return value of devm_ioremap() in armada_37xx_wdt_probe() 2022-08-17 14:42:10 +02:00
xen xen/gntdev: Ignore failure to unmap INVALID_GRANT_HANDLE 2022-07-22 10:21:34 +02:00
zorro proc: remove PDE_DATA() completely 2022-01-22 08:33:37 +02:00
Kconfig
Makefile