Searched hist:"359324 a2d577a98b4405c67e140b1cff41b1d7cd" (Results 1 – 1 of 1) sorted by relevance
| /optee_os/core/tee/ |
| H A D | tee_svc.c | 359324a2d577a98b4405c67e140b1cff41b1d7cd Fri Oct 12 11:03:26 UTC 2018 Jens Wiklander <jens.wiklander@linaro.org> svc: Initialize tmp_va_buf to prevent a TOCTOU attack
tmp_va_buf will be used if caller parameters points to private TA
memory. However, after doing the syscall to invoke the command it could
be that REE has changed caller parameters to point to regular shared
memory and that could potentially open for tmp_va_buf leaking old
information on the stack.
Mitigate this by simplify tee_svc_update_out_param() by only taking
tmp_buf_va[n] into account to tell if a temporary buffer is used or not.
Note that tee_svc_copy_to_user() will make sure that only data writeable
by the user TA can be updated.
Fixes: "Double fetch can be used to copy from uninitialized pointer" as
reported by Riscure.
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Tested-by: Joakim Bech <joakim.bech@linaro.org> (QEMU v7, v8)
Reviewed-by: Joakim Bech <joakim.bech@linaro.org>
Reported-by: Riscure <inforequest@riscure.com>
Reported-by: Alyssa Milburn <a.a.milburn@vu.nl>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
|