core: strict buffer check in syscalls following GP 1.1

GP 1.1 [1] and also earlier specifications has certain annotation in the
description of API functions to among other things describe which kind
of memory a buffer is required to reside in. It could be readable,
writeable, in shared memory in TA private memory.

The following syscalls are updated with slightly stricter checks with
regards to TA private memory where needed:
- syscall_open_ta_session()
- syscall_invoke_ta_command()
- syscall_get_time()
- syscall_set_ta_time()
- syscall_cryp_obj_get_info()
- syscall_cryp_random_number_generate()
- syscall_authenc_dec_final()
- syscall_storage_next_enum()
- syscall_storage_obj_read()
- syscall_storage_obj_write()

[1]: GlobalPlatform TEE Internal Core API Specification v1.1

Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jerome Forissier <jerome@forissier.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

3 files changed, 15 insertions, 27 deletions

diff --git a/core/tee/tee_svc.c b/core/tee/tee_svc.c
index 3b7b5acc..b36f6db4 100644
--- a/core/tee/tee_svc.c
+++ b/core/tee/tee_svc.c
@@ -795,7 +795,7 @@ TEE_Result syscall_open_ta_session(const TEE_UUID *dest,
 		goto out_free_only;
 	utc = to_user_ta_ctx(sess->ctx);
 
-	res = copy_from_user(uuid, dest, sizeof(TEE_UUID));
+	res = copy_from_user_private(uuid, dest, sizeof(TEE_UUID));
 	if (res != TEE_SUCCESS)
 		goto function_exit;
 
@@ -819,8 +819,8 @@ TEE_Result syscall_open_ta_session(const TEE_UUID *dest,
 function_exit:
 	mobj_put_wipe(mobj_param);
 	if (res == TEE_SUCCESS)
-		copy_to_user(ta_sess, &s->id, sizeof(s->id));
-	copy_to_user(ret_orig, &ret_o, sizeof(ret_o));
+		copy_to_user_private(ta_sess, &s->id, sizeof(s->id));
+	copy_to_user_private(ret_orig, &ret_o, sizeof(ret_o));
 
 out_free_only:
 	free_wipe(param);
@@ -909,8 +909,7 @@ TEE_Result syscall_invoke_ta_command(unsigned long ta_sess,
 function_exit:
 	tee_ta_put_session(called_sess);
 	mobj_put_wipe(mobj_param);
-	if (ret_orig)
-		copy_to_user(ret_orig, &ret_o, sizeof(ret_o));
+	copy_to_user_private(ret_orig, &ret_o, sizeof(ret_o));
 	return res;
 }
 
@@ -1034,7 +1033,7 @@ TEE_Result syscall_get_time(unsigned long cat, TEE_Time *mytime)
 	}
 
 	if (res == TEE_SUCCESS || res == TEE_ERROR_OVERFLOW) {
-		res2 = copy_to_user(mytime, &t, sizeof(t));
+		res2 = copy_to_user_private(mytime, &t, sizeof(t));
 		if (res2 != TEE_SUCCESS)
 			res = res2;
 	}
@@ -1052,7 +1051,7 @@ TEE_Result syscall_set_ta_time(const TEE_Time *mytime)
 	if (res != TEE_SUCCESS)
 		return res;
 
-	res = copy_from_user(&t, mytime, sizeof(t));
+	res = copy_from_user_private(&t, mytime, sizeof(t));
 	if (res != TEE_SUCCESS)
 		return res;
 
diff --git a/core/tee/tee_svc_cryp.c b/core/tee/tee_svc_cryp.c
index 060222e2..e0337d5c 100644
--- a/core/tee/tee_svc_cryp.c
+++ b/core/tee/tee_svc_cryp.c
@@ -901,7 +901,7 @@ TEE_Result syscall_cryp_obj_get_info(unsigned long obj, TEE_ObjectInfo *info)
 	if (res != TEE_SUCCESS)
 		goto exit;
 
-	res = copy_to_user(info, &o->info, sizeof(o->info));
+	res = copy_to_user_private(info, &o->info, sizeof(o->info));
 
 exit:
 	return res;
@@ -3176,8 +3176,7 @@ TEE_Result syscall_cryp_random_number_generate(void *buf, size_t blen)
 		return res;
 
 	res = tee_mmu_check_access_rights(&to_user_ta_ctx(sess->ctx)->uctx,
-					  TEE_MEMORY_ACCESS_WRITE |
-					  TEE_MEMORY_ACCESS_ANY_OWNER,
+					  TEE_MEMORY_ACCESS_WRITE,
 					  (uaddr_t)buf, blen);
 	if (res != TEE_SUCCESS)
 		return res;
@@ -3480,9 +3479,7 @@ TEE_Result syscall_authenc_dec_final(unsigned long state,
 		goto out;
 	}
 
-	res = tee_mmu_check_access_rights(uctx,
-					  TEE_MEMORY_ACCESS_READ |
-					  TEE_MEMORY_ACCESS_ANY_OWNER,
+	res = tee_mmu_check_access_rights(uctx, TEE_MEMORY_ACCESS_READ,
 					  (uaddr_t)tag, tag_len);
 	if (res != TEE_SUCCESS)
 		return res;
diff --git a/core/tee/tee_svc_storage.c b/core/tee/tee_svc_storage.c
index bdac25f7..5c8bb050 100644
--- a/core/tee/tee_svc_storage.c
+++ b/core/tee/tee_svc_storage.c
@@ -740,17 +740,13 @@ TEE_Result syscall_storage_next_enum(unsigned long obj_enum,
 		goto exit;
 
 	/* check rights of the provided buffers */
-	res = tee_mmu_check_access_rights(&utc->uctx,
-					  TEE_MEMORY_ACCESS_WRITE |
-					  TEE_MEMORY_ACCESS_ANY_OWNER,
+	res = tee_mmu_check_access_rights(&utc->uctx, TEE_MEMORY_ACCESS_WRITE,
 					  (uaddr_t)info,
 					  sizeof(TEE_ObjectInfo));
 	if (res != TEE_SUCCESS)
 		goto exit;
 
-	res = tee_mmu_check_access_rights(&utc->uctx,
-					  TEE_MEMORY_ACCESS_WRITE |
-					  TEE_MEMORY_ACCESS_ANY_OWNER,
+	res = tee_mmu_check_access_rights(&utc->uctx, TEE_MEMORY_ACCESS_WRITE,
 					  (uaddr_t)obj_id,
 					  TEE_OBJECT_ID_MAX_LEN);
 	if (res != TEE_SUCCESS)
@@ -787,7 +783,7 @@ TEE_Result syscall_storage_next_enum(unsigned long obj_enum,
 	memcpy(obj_id, o->pobj->obj_id, o->pobj->obj_id_len);
 
 	l = o->pobj->obj_id_len;
-	res = copy_to_user(len, &l, sizeof(*len));
+	res = copy_to_user_private(len, &l, sizeof(*len));
 
 exit:
 	if (o) {
@@ -835,9 +831,7 @@ TEE_Result syscall_storage_obj_read(unsigned long obj, void *data, size_t len,
 	}
 
 	/* check rights of the provided buffer */
-	res = tee_mmu_check_access_rights(&utc->uctx,
-					  TEE_MEMORY_ACCESS_WRITE |
-					  TEE_MEMORY_ACCESS_ANY_OWNER,
+	res = tee_mmu_check_access_rights(&utc->uctx, TEE_MEMORY_ACCESS_WRITE,
 					  (uaddr_t)data, len);
 	if (res != TEE_SUCCESS)
 		goto exit;
@@ -859,7 +853,7 @@ TEE_Result syscall_storage_obj_read(unsigned long obj, void *data, size_t len,
 	o->info.dataPosition += bytes;
 
 	u_count = bytes;
-	res = copy_to_user(count, &u_count, sizeof(*count));
+	res = copy_to_user_private(count, &u_count, sizeof(*count));
 exit:
 	return res;
 }
@@ -898,9 +892,7 @@ TEE_Result syscall_storage_obj_write(unsigned long obj, void *data, size_t len)
 	}
 
 	/* check rights of the provided buffer */
-	res = tee_mmu_check_access_rights(&utc->uctx,
-					  TEE_MEMORY_ACCESS_READ |
-					  TEE_MEMORY_ACCESS_ANY_OWNER,
+	res = tee_mmu_check_access_rights(&utc->uctx, TEE_MEMORY_ACCESS_READ,
 					  (uaddr_t)data, len);
 	if (res != TEE_SUCCESS)
 		goto exit;