core: utee_param_to_param(): set mobj to NULL when NULL memrefs of size 0

Set the tee_ta_param mobj to NULL if user parameter is a NULL memrefs
of size 0.
When mobj pointer is NULL, it also identify the last parameter of the list.

Fixes: 9d2e798360b5 ("core: TEE capability for null sized memrefs support")

Signed-off-by: Cedric Neveux <cedric.neveux@nxp.com>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Tested-by: Jerome Forissier <jerome@forissier.org> (HiKey960)
Tested-by: Etienne Carriere <etienne.carriere@linaro.org>

1 files changed, 11 insertions, 1 deletions

diff --git a/core/tee/tee_svc.c b/core/tee/tee_svc.c
index fd334535..78b6a23f 100644
--- a/core/tee/tee_svc.c
+++ b/core/tee/tee_svc.c
@@ -514,9 +514,19 @@ static TEE_Result utee_param_to_param(struct user_ta_ctx *utc,
 			flags |= TEE_MEMORY_ACCESS_WRITE;
 			/*FALLTHROUGH*/
 		case TEE_PARAM_TYPE_MEMREF_INPUT:
-			p->u[n].mem.mobj = &mobj_virt;
 			p->u[n].mem.offs = a;
 			p->u[n].mem.size = b;
+
+			if (!p->u[n].mem.offs) {
+				/* Allow NULL memrefs if of size 0 */
+				if (p->u[n].mem.size)
+					return TEE_ERROR_BAD_PARAMETERS;
+				p->u[n].mem.mobj = NULL;
+				break;
+			}
+
+			p->u[n].mem.mobj = &mobj_virt;
+
 			if (tee_mmu_check_access_rights(&utc->uctx, flags, a,
 							b))
 				return TEE_ERROR_ACCESS_DENIED;