Home
last modified time | relevance | path

Searched hist:"70 b613102ce72808f6a0ad9f6f97f0545fd6ad02" (Results 1 – 2 of 2) sorted by relevance

/optee_os/core/tee/
H A Dtee_svc.c70b613102ce72808f6a0ad9f6f97f0545fd6ad02 Tue Jan 29 16:44:51 UTC 2019 Jerome Forissier <jerome.forissier@linaro.org> core: scrub user-tainted kernel heap memory before freeing it

Some syscalls can be used to poison kernel heap memory. Data copied from
userland is not wiped when the syscall returns. For instance, when doing
syscall_log() one can copy arbitrary data of variable length onto kernel
memory. When free() is called, the block is returned to the memory pool,
tainted with that userland data. This might be used in combination with
some other vulnerability to produce an exploit.

This patch uses free_wipe() to clear the buffers that have been used to
store user-provided data before returning them to the heap.

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reported-by: Bastien Simondi <bsimondi@netflix.com> [1.4]
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Joakim Bech <joakim.bech@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
H A Dtee_svc_cryp.c70b613102ce72808f6a0ad9f6f97f0545fd6ad02 Tue Jan 29 16:44:51 UTC 2019 Jerome Forissier <jerome.forissier@linaro.org> core: scrub user-tainted kernel heap memory before freeing it

Some syscalls can be used to poison kernel heap memory. Data copied from
userland is not wiped when the syscall returns. For instance, when doing
syscall_log() one can copy arbitrary data of variable length onto kernel
memory. When free() is called, the block is returned to the memory pool,
tainted with that userland data. This might be used in combination with
some other vulnerability to produce an exploit.

This patch uses free_wipe() to clear the buffers that have been used to
store user-provided data before returning them to the heap.

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reported-by: Bastien Simondi <bsimondi@netflix.com> [1.4]
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Joakim Bech <joakim.bech@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>