core: entry_std: check value of num_params

Checks value of num_params against OPTEE_MSG_MAX_NUM_PARAMS before using
it in OPTEE_MSG_GET_ARG_SIZE() in order to avoid unexpected wrapping.

Fixes: "Mac

core: entry_std: check value of num_params

Checks value of num_params against OPTEE_MSG_MAX_NUM_PARAMS before using
it in OPTEE_MSG_GET_ARG_SIZE() in order to avoid unexpected wrapping.

Fixes: "Macro for checking size of parameter buffer can overflow" as
reported by Riscure.

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Tested-by: Joakim Bech <joakim.bech@linaro.org> (QEMU v7, v8)
Reviewed-by: Joakim Bech <joakim.bech@linaro.org>
Reported-by: Riscure <inforequest@riscure.com>
Reported-by: Alyssa Milburn <a.a.milburn@vu.nl>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

core: optee_msg.h: define OPTEE_MSG_MAX_NUM_PARAMS

Defines OPTEE_MSG_MAX_NUM_PARAMS to be used with the macro
OPTEE_MSG_GET_ARG_SIZE() in order to avoid unexpected wrapping.

Fixes: "Macro for check

core: optee_msg.h: define OPTEE_MSG_MAX_NUM_PARAMS

Defines OPTEE_MSG_MAX_NUM_PARAMS to be used with the macro
OPTEE_MSG_GET_ARG_SIZE() in order to avoid unexpected wrapping.

Fixes: "Macro for checking size of parameter buffer can overflow" as
reported by Riscure.

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Tested-by: Joakim Bech <joakim.bech@linaro.org> (QEMU v7, v8)
Reviewed-by: Joakim Bech <joakim.bech@linaro.org>
Reported-by: Riscure <inforequest@riscure.com>
Reported-by: Alyssa Milburn <a.a.milburn@vu.nl>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

core: tee_mmu_check_access_rights() check all pages

Prior to this patch tee_mmu_check_access_rights() checks an address in
each page of a supplied range. If both the start and length of that
range i

core: tee_mmu_check_access_rights() check all pages

Prior to this patch tee_mmu_check_access_rights() checks an address in
each page of a supplied range. If both the start and length of that
range is unaligned the last page in the range is sometimes not checked.
With this patch the first address of each page in the range is checked
to simplify the logic of checking each page and the range and also to
cover the last page under all circumstances.

Fixes: OP-TEE-2018-0005: "tee_mmu_check_access_rights does not check
final page of TA buffer"

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Tested-by: Joakim Bech <joakim.bech@linaro.org> (QEMU v7, v8)
Reviewed-by: Joakim Bech <joakim.bech@linaro.org>
Reported-by: Riscure <inforequest@riscure.com>
Reported-by: Alyssa Milburn <a.a.milburn@vu.nl>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

svc: Initialize tmp_va_buf to prevent a TOCTOU attack

tmp_va_buf will be used if caller parameters points to private TA
memory. However, after doing the syscall to invoke the command it could
be tha

svc: Initialize tmp_va_buf to prevent a TOCTOU attack

tmp_va_buf will be used if caller parameters points to private TA
memory. However, after doing the syscall to invoke the command it could
be that REE has changed caller parameters to point to regular shared
memory and that could potentially open for tmp_va_buf leaking old
information on the stack.

Mitigate this by simplify tee_svc_update_out_param() by only taking
tmp_buf_va[n] into account to tell if a temporary buffer is used or not.

Note that tee_svc_copy_to_user() will make sure that only data writeable
by the user TA can be updated.

Fixes: "Double fetch can be used to copy from uninitialized pointer" as
reported by Riscure.

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Tested-by: Joakim Bech <joakim.bech@linaro.org> (QEMU v7, v8)
Reviewed-by: Joakim Bech <joakim.bech@linaro.org>
Reported-by: Riscure <inforequest@riscure.com>
Reported-by: Alyssa Milburn <a.a.milburn@vu.nl>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

core: ensure that supplied range matches MOBJ

In set_rmem_param() if the MOBJ is found by the cookie it's verified to
represent non-secure shared memory. Prior to this patch the supplied
sub-range t

core: ensure that supplied range matches MOBJ

In set_rmem_param() if the MOBJ is found by the cookie it's verified to
represent non-secure shared memory. Prior to this patch the supplied
sub-range to be used of the MOBJ was not checked here and relied on
later checks further down the chain. Those checks seems to be enough
for user TAs, but not for pseudo TAs where the size isn't checked.

This patch adds a check for offset and size to see that they remain
inside the memory covered by the MOBJ.

Fixes: OP-TEE-2018-0004: "Unchecked parameters are passed through from
REE".

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Tested-by: Joakim Bech <joakim.bech@linaro.org> (QEMU v7, v8)
Reviewed-by: Joakim Bech <joakim.bech@linaro.org>
Reported-by: Riscure <inforequest@riscure.com>
Reported-by: Alyssa Milburn <a.a.milburn@vu.nl>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

svc: fix NULL pointer dereference during storage enumeration

In syscall_storage_next_enum(..) when 'tee_obj o' isn't successfully
initialized, then 'o->pobj->fops' is a NULL pointer and therefore we

svc: fix NULL pointer dereference during storage enumeration

In syscall_storage_next_enum(..) when 'tee_obj o' isn't successfully
initialized, then 'o->pobj->fops' is a NULL pointer and therefore we
need to check for that before trying to dereference it in the clean-up
part of the function.

Fixes: "Null pointer dereference in storage system call" as reported by
Riscure.

Signed-off-by: Joakim Bech <joakim.bech@linaro.org>
Tested-by: Joakim Bech <joakim.bech@linaro.org> (QEMU v7, v8)
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reported-by: Riscure <inforequest@riscure.com>
Reported-by: Alyssa Milburn <a.a.milburn@vu.nl>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

svc: check for overflow when allocating a BigNum buffer

To avoid overflow errors and copy more data than being allocated we must
check for overflow when allocating a buffer for the bignum-buffer whi

svc: check for overflow when allocating a BigNum buffer

To avoid overflow errors and copy more data than being allocated we must
check for overflow when allocating a buffer for the bignum-buffer which
is 8 times larger than the binary buffer.

Fixes: "Integer overflow in crypto system call" as reported by Riscure.

Signed-off-by: Joakim Bech <joakim.bech@linaro.org>
Tested-by: Joakim Bech <joakim.bech@linaro.org> (QEMU v7, v8)
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reported-by: Riscure <inforequest@riscure.com>
Reported-by: Alyssa Milburn <a.a.milburn@vu.nl>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

svc: avoid TOCTOU issue in syscall_hash_final

When checking that the supplied buffer is big enough to fit the computed
digest one should use the local copy 'hlen' instead of 'hash_len' to
prevent th

svc: avoid TOCTOU issue in syscall_hash_final

When checking that the supplied buffer is big enough to fit the computed
digest one should use the local copy 'hlen' instead of 'hash_len' to
prevent that a malicious attacker in REE have changed the size of
'hash_len' after it has been copied to the local buffer.

(TOCTOU: Time Of Check To Time of Use)

Fixes: "Double-fetch of length in syscall_hash_final (x2)" as reported
by Riscure.

Signed-off-by: Joakim Bech <joakim.bech@linaro.org>
Tested-by: Joakim Bech <joakim.bech@linaro.org> (QEMU v7, v8)
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reported-by: Riscure <inforequest@riscure.com>
Reported-by: Alyssa Milburn <a.a.milburn@vu.nl>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

svc: check for allocation overflow in crypto calls part 2

Without checking for overflow there is a risk of allocating a buffer
with size smaller than anticipated and as a consequence of that it migh

svc: check for allocation overflow in crypto calls part 2

Without checking for overflow there is a risk of allocating a buffer
with size smaller than anticipated and as a consequence of that it might
lead to a heap based overflow with attacker controlled data written
outside the boundaries of the buffer.

Fixes: OP-TEE-2018-0011: "Integer overflow in crypto system calls (x2)"

Signed-off-by: Joakim Bech <joakim.bech@linaro.org>
Tested-by: Joakim Bech <joakim.bech@linaro.org> (QEMU v7, v8)
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reported-by: Riscure <inforequest@riscure.com>
Reported-by: Alyssa Milburn <a.a.milburn@vu.nl>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

svc: check for allocation overflow in crypto calls

Without checking for overflow there is a risk of allocating a buffer
with size smaller than anticipated and as a consequence of that it might
lead

svc: check for allocation overflow in crypto calls

Without checking for overflow there is a risk of allocating a buffer
with size smaller than anticipated and as a consequence of that it might
lead to a heap based overflow with attacker controlled data written
outside the boundaries of the buffer.

Fixes: OP-TEE-2018-0010: "Integer overflow in crypto system calls (x2)"

Signed-off-by: Joakim Bech <joakim.bech@linaro.org>
Tested-by: Joakim Bech <joakim.bech@linaro.org> (QEMU v7, v8)
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reported-by: Riscure <inforequest@riscure.com>
Reported-by: Alyssa Milburn <a.a.milburn@vu.nl>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

svc: check for allocation overflow in syscall_cryp_obj_populate

Without checking for overflow there is a risk of allocating a buffer
with size smaller than anticipated and as a consequence of that i

svc: check for allocation overflow in syscall_cryp_obj_populate

Without checking for overflow there is a risk of allocating a buffer
with size smaller than anticipated and as a consequence of that it might
lead to a heap based overflow with attacker controlled data written
outside the boundaries of the buffer.

Fixes: OP-TEE-2018-0009: "Integer overflow in crypto system calls"

Signed-off-by: Joakim Bech <joakim.bech@linaro.org>
Tested-by: Joakim Bech <joakim.bech@linaro.org> (QEMU v7, v8)
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reported-by: Riscure <inforequest@riscure.com>
Reported-by: Alyssa Milburn <a.a.milburn@vu.nl>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

fs: prevent out of place write when no data

Fixes: "Uninitialized return value returned if len equals 0" as reported
by Riscure.

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Tested-by:

fs: prevent out of place write when no data

Fixes: "Uninitialized return value returned if len equals 0" as reported
by Riscure.

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Tested-by: Joakim Bech <joakim.bech@linaro.org> (QEMU v7, v8)
Reviewed-by: Joakim Bech <joakim.bech@linaro.org>
Reported-by: Riscure <inforequest@riscure.com>
Reported-by: Alyssa Milburn <a.a.milburn@vu.nl>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

core: add missing return(s) in shdr_alloc_and_copy

Fixes: "Incorrect error handling in shdr_alloc_and_copy (x2)" as
reported by Riscure.

Signed-off-by: Joakim Bech <joakim.bech@linaro.org>
Tested-b

core: add missing return(s) in shdr_alloc_and_copy

Fixes: "Incorrect error handling in shdr_alloc_and_copy (x2)" as
reported by Riscure.

Signed-off-by: Joakim Bech <joakim.bech@linaro.org>
Tested-by: Joakim Bech <joakim.bech@linaro.org> (QEMU v7, v8)
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reported-by: Riscure <inforequest@riscure.com>
Reported-by: Alyssa Milburn <a.a.milburn@vu.nl>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

rpc: ensure that TA fits in allocated memory

When the TEE is about to load a TA it first asks the REE for the size of
the TA in question. Next it allocates memory for this based on the size
in the p

rpc: ensure that TA fits in allocated memory

When the TEE is about to load a TA it first asks the REE for the size of
the TA in question. Next it allocates memory for this based on the size
in the previous query. However, there is no guarantee that the REE
actually allocates the requested size. A compromised REE could for
example modify the RPC request. This means that even though an
allocation is successful, we still need to check that the size of the
allocated buffer has room to fit the entire TA we are about to load.

Fixes: "REE provided size not checked when loading TAs" as reported by
Riscure.

Signed-off-by: Joakim Bech <joakim.bech@linaro.org>
Tested-by: Joakim Bech <joakim.bech@linaro.org> (QEMU v7, v8)
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reported-by: Riscure <inforequest@riscure.com>
Reported-by: Alyssa Milburn <a.a.milburn@vu.nl>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

tadb: set error condition on TA size mismatch

If tee_tadb_ta_read(..) is successful in secstor_ta_open(..), then we
must set an error code manually if the size check right after fails.

Fixes: "Load

tadb: set error condition on TA size mismatch

If tee_tadb_ta_read(..) is successful in secstor_ta_open(..), then we
must set an error code manually if the size check right after fails.

Fixes: "Loading from secure storage returns success with uninitialized
pointer" as reported by Riscure.

Signed-off-by: Joakim Bech <joakim.bech@linaro.org>
Tested-by: Joakim Bech <joakim.bech@linaro.org> (QEMU v7, v8)
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reported-by: Riscure <inforequest@riscure.com>
Reported-by: Alyssa Milburn <a.a.milburn@vu.nl>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

core: initialize saved_attr

The saved_attr variable is used in the cleanup condition in the
entry_open_session(..) function. The function cleanup_params(..)
conditionally free up memory based on the

core: initialize saved_attr

The saved_attr variable is used in the cleanup condition in the
entry_open_session(..) function. The function cleanup_params(..)
conditionally free up memory based on the values from saved_attr and
therefore saved_attr must be initialized with a proper value in case the
functions that are supposed to fill in correct attributes are failing.

Fixes: "Use of uninitialized variable in REE exposed function" as
reported by Riscure.

Signed-off-by: Joakim Bech <joakim.bech@linaro.org>
Tested-by: Joakim Bech <joakim.bech@linaro.org> (QEMU v7, v8)
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reported-by: Riscure <inforequest@riscure.com>
Reported-by: Alyssa Milburn <a.a.milburn@vu.nl>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

rpmb: check return value from essiv call

An error in the function essiv, as for example memory allocation failure
could result in an uninitialized IV, which means that the IV used for
en/decryption

rpmb: check return value from essiv call

An error in the function essiv, as for example memory allocation failure
could result in an uninitialized IV, which means that the IV used for
en/decryption would consist of data previously stored at this memory
location. This could eventually corrupt the filesystem.

Fixes: "Return value of cryptographic function is unchecked" by Riscure.

Signed-off-by: Joakim Bech <joakim.bech@linaro.org>
Tested-by: Joakim Bech <joakim.bech@linaro.org> (QEMU v7, v8)
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reported-by: Riscure <inforequest@riscure.com>
Reported-by: Alyssa Milburn <a.a.milburn@vu.nl>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

core: clear the entire TA area

Previously we cleared (memset to zero) the size corresponding to code
and data segments, however the allocation for the TA is made on the
granularity of the memory poo

core: clear the entire TA area

Previously we cleared (memset to zero) the size corresponding to code
and data segments, however the allocation for the TA is made on the
granularity of the memory pool, meaning that we did not clear all memory
and because of that we could potentially leak code and data of a
previous loaded TA.

Fixes: OP-TEE-2018-0006: "Potential disclosure of previously loaded TA
code and data"

Signed-off-by: Joakim Bech <joakim.bech@linaro.org>
Tested-by: Joakim Bech <joakim.bech@linaro.org> (QEMU v7, v8)
Suggested-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reported-by: Riscure <inforequest@riscure.com>
Reported-by: Alyssa Milburn <a.a.milburn@vu.nl>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

lockdep: fix dup_call_stack()

dup_call_stack() does not properly deal with the sentinel. Fix it.

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Jens Wiklander <jens.wikl

lockdep: fix dup_call_stack()

dup_call_stack() does not properly deal with the sentinel. Fix it.

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

hikey960: set CFG_CORE_BGET_BESTFIT=y

Enables the "best fit" algorithm for core memory allocation on HiKey960.
This avoids occasional out-of-memory errors when running the full xtest
suite (with Glo

hikey960: set CFG_CORE_BGET_BESTFIT=y

Enables the "best fit" algorithm for core memory allocation on HiKey960.
This avoids occasional out-of-memory errors when running the full xtest
suite (with GlobalPlatform tests).

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

stm32mp1: init console from DTB

Get console configuration from embedded DTB when available.

Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Acked-by: Jerome Forissier <jerome.forissie

stm32mp1: init console from DTB

Get console configuration from embedded DTB when available.

Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

stm32_uart: API to init console bus from a DTB

Introduce stm32_uart_init_from_dt_node() that initializes an UART
device from the given DT node. The function returns the reference
to the created UART

stm32_uart: API to init console bus from a DTB

Introduce stm32_uart_init_from_dt_node() that initializes an UART
device from the given DT node. The function returns the reference
to the created UART instance.

Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Acked-by: Joakim Bech <joakim.bech@linaro.org>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

stm32mp1: early console configuration

This change allows the OP-TEE configuration to select the UART
instance used as OP-TEE console. This change also prepares
a next step where the console is selec

stm32mp1: early console configuration

This change allows the OP-TEE configuration to select the UART
instance used as OP-TEE console. This change also prepares
a next step where the console is selected from device tree
directives.

Map all secure and non-secure UARTs, only the expected virtual
areas will be accessed at runtime.

Value 23 chosen for CFG_MMAP_REGIONS is more than required. As
later changes will introduce new drivers, this value is expected
affordable (memory footprint) and allow new drivers to land without
needed to increment a static value.

CFG_STM32_EARLY_CONSOLE_UART also to specify the hard coded UART
interface used for early trace console.

Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Acked-by: Joakim Bech <joakim.bech@linaro.org>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

stm32mp1: minor base address cleanup

Add few comments in platform_config.h to macros split definition
by topics.

Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Acked-by: Joakim Bech

stm32mp1: minor base address cleanup

Add few comments in platform_config.h to macros split definition
by topics.

Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Acked-by: Joakim Bech <joakim.bech@linaro.org>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

stm32_uart: rename exported structure and add secure flag

Rename structure console_pdata into stm32_uart_pdata as it will
be exported over the platform and should not use such a generic
naming.

Thi

stm32_uart: rename exported structure and add secure flag

Rename structure console_pdata into stm32_uart_pdata as it will
be exported over the platform and should not use such a generic
naming.

This change adds a secure flag to the UART device instance for
used to get the appropriate virtual address when required.
An UART bus could be used by the secure world in secure mode or
in non-secure mode. A bus to a secure element likely mandates
secure hardening of the UART. A debug console over a non-secure
UART link may require the UART resources to be assigned to the
non-secure world.

Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Acked-by: Joakim Bech <joakim.bech@linaro.org>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...