core: fix ASLR problem with short-descriptor table mappings

With short-descriptor table mappings, that is without LPAE, the user va
range is defined at the lowest addresses. Depending on the seed supplied
this could conflict with chosen base address for core mappings. Add a
check early in assign_mem_va() to avoid such conflicts.

Without this patch there's a risk of occasional panics like:
E/TC:0 0 Panic 'issue in linear address space' at core/arch/arm/mm/core_mmu.c:2147 <check_pa_matches_va>
E/TC:0 0 TEE load address @ 0xa34000
E/TC:0 0 Call stack:
E/TC:0 0  0x00a3a901

Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Acked-by: Jerome Forissier <jerome@forissier.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

1 files changed, 19 insertions, 0 deletions

diff --git a/core/arch/arm/mm/core_mmu.c b/core/arch/arm/mm/core_mmu.c
index 4db639ef..330edf35 100644
--- a/core/arch/arm/mm/core_mmu.c
+++ b/core/arch/arm/mm/core_mmu.c
@@ -916,6 +916,25 @@ static bool assign_mem_va(vaddr_t tee_ram_va,
 	vaddr_t va = tee_ram_va;
 	bool va_is_secure = true;
 
+	/*
+	 * Check that we're not overlapping with the user VA range.
+	 */
+	if (IS_ENABLED(CFG_WITH_LPAE)) {
+		/*
+		 * User VA range is supposed to be defined after these
+		 * mappings have been established.
+		 */
+		assert(!core_mmu_user_va_range_is_defined());
+	} else {
+		vaddr_t user_va_base = 0;
+		size_t user_va_size = 0;
+
+		assert(core_mmu_user_va_range_is_defined());
+		core_mmu_get_user_va_range(&user_va_base, &user_va_size);
+		if (tee_ram_va < (user_va_base + user_va_size))
+			return false;
+	}
+
 	/* Clear eventual previous assignments */
 	for (map = memory_map; !core_mmap_is_end_of_table(map); map++)
 		map->va = 0;