diff options
author | Jens Wiklander <jens.wiklander@linaro.org> | 2022-08-23 10:23:26 +0200 |
---|---|---|
committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2022-08-25 11:38:24 +0200 |
commit | 606fe84a41851ab8307bb6096189dc8f4c8ba16b (patch) | |
tree | e28fc979c708be272474a52c3532deeaba685598 /drivers/tee | |
parent | 3527e3cbb84d8868c4d4e91ba55915f96d39ec3d (diff) |
tee: fix memory leak in tee_shm_register()
Moves the access_ok() check for valid memory range from user space from
the function tee_shm_register() to tee_ioctl_shm_register(). With this
we error out early before anything is done that must be undone on error.
Fixes: 578c349570d2 ("tee: add overflow check in register_shm_helper()")
Cc: stable@vger.kernel.org # 5.10
Reported-by: Pavel Machek <pavel@denx.de>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Diffstat (limited to 'drivers/tee')
-rw-r--r-- | drivers/tee/tee_core.c | 3 | ||||
-rw-r--r-- | drivers/tee/tee_shm.c | 3 |
2 files changed, 3 insertions, 3 deletions
diff --git a/drivers/tee/tee_core.c b/drivers/tee/tee_core.c index e07f997cf8dd..9cc4a7b63b0d 100644 --- a/drivers/tee/tee_core.c +++ b/drivers/tee/tee_core.c @@ -334,6 +334,9 @@ tee_ioctl_shm_register(struct tee_context *ctx, if (data.flags) return -EINVAL; + if (!access_ok((void __user *)(unsigned long)data.addr, data.length)) + return -EFAULT; + shm = tee_shm_register(ctx, data.addr, data.length, TEE_SHM_DMA_BUF | TEE_SHM_USER_MAPPED); if (IS_ERR(shm)) diff --git a/drivers/tee/tee_shm.c b/drivers/tee/tee_shm.c index 6e662fb131d5..499fccba3d74 100644 --- a/drivers/tee/tee_shm.c +++ b/drivers/tee/tee_shm.c @@ -222,9 +222,6 @@ struct tee_shm *tee_shm_register(struct tee_context *ctx, unsigned long addr, goto err; } - if (!access_ok((void __user *)addr, length)) - return ERR_PTR(-EFAULT); - mutex_lock(&teedev->mutex); shm->id = idr_alloc(&teedev->idr, shm, 1, 0, GFP_KERNEL); mutex_unlock(&teedev->mutex); |