From 8a47e764e8c67bb46f05a5ba92f93ae054313e59 Mon Sep 17 00:00:00 2001 From: Khoa Hoang Date: Fri, 10 Apr 2020 21:07:17 -0700 Subject: core: arm: mm: fix VA overflow issue in assign_mem_va() Fix assign_mem_va() that is missing VA limit check on 64bit machines. This change catches the overflow at address assignation preventing TEE to panic in a not obvious way when the out of bound address is accessed. Signed-off-by: Khoa Hoang Reviewed-by: Jens Wiklander --- core/arch/arm/mm/core_mmu.c | 21 ++++++++++++--------- 1 file changed, 12 insertions(+), 9 deletions(-) (limited to 'core/arch/arm/mm') diff --git a/core/arch/arm/mm/core_mmu.c b/core/arch/arm/mm/core_mmu.c index b6f20158..25690cd8 100644 --- a/core/arch/arm/mm/core_mmu.c +++ b/core/arch/arm/mm/core_mmu.c @@ -909,6 +909,14 @@ static void assign_mem_granularity(struct tee_mmap_region *memory_map) } } +static unsigned int get_va_width(void) +{ + if (IS_ENABLED(ARM64)) + return 64 - __builtin_ctzll(CFG_LPAE_ADDR_SPACE_SIZE); + else + return 32; +} + static bool assign_mem_va(vaddr_t tee_ram_va, struct tee_mmap_region *memory_map) { @@ -935,6 +943,8 @@ static bool assign_mem_va(vaddr_t tee_ram_va, map->va = va; if (ADD_OVERFLOW(va, map->size, &va)) return false; + if (IS_ENABLED(ARM64) && va >= BIT64(get_va_width())) + return false; } } @@ -1006,6 +1016,8 @@ static bool assign_mem_va(vaddr_t tee_ram_va, map->va = va; if (ADD_OVERFLOW(va, map->size, &va)) return false; + if (IS_ENABLED(ARM64) && va >= BIT64(get_va_width())) + return false; } } @@ -1032,15 +1044,6 @@ static int cmp_init_mem_map(const void *a, const void *b) return rc; } -static unsigned int get_va_width(void) -{ -#ifdef ARM64 - return 64 - __builtin_ctzl(CFG_LPAE_ADDR_SPACE_SIZE); -#else - return 32; -#endif -} - static bool mem_map_add_id_map(struct tee_mmap_region *memory_map, size_t num_elems, size_t *last, vaddr_t id_map_start, vaddr_t id_map_end) -- cgit v1.2.3