diff options
author | Jens Wiklander <jens.wiklander@linaro.org> | 2020-09-11 09:54:10 +0200 |
---|---|---|
committer | Jérôme Forissier <jerome@forissier.org> | 2020-09-24 15:39:13 +0200 |
commit | e12c9f67d12c24a39ec0b98049e445bb3ae7a23e (patch) | |
tree | beaefa5b48279ddd4d4a4d03b2df4205dcaf37a5 /core/tee/tee_svc_storage.c | |
parent | 4731662fc51ddf0ad34a29fbd542546840c6189b (diff) |
core: strict buffer check in syscalls following GP 1.1
GP 1.1 [1] and also earlier specifications has certain annotation in the
description of API functions to among other things describe which kind
of memory a buffer is required to reside in. It could be readable,
writeable, in shared memory in TA private memory.
The following syscalls are updated with slightly stricter checks with
regards to TA private memory where needed:
- syscall_open_ta_session()
- syscall_invoke_ta_command()
- syscall_get_time()
- syscall_set_ta_time()
- syscall_cryp_obj_get_info()
- syscall_cryp_random_number_generate()
- syscall_authenc_dec_final()
- syscall_storage_next_enum()
- syscall_storage_obj_read()
- syscall_storage_obj_write()
[1]: GlobalPlatform TEE Internal Core API Specification v1.1
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jerome Forissier <jerome@forissier.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Diffstat (limited to 'core/tee/tee_svc_storage.c')
-rw-r--r-- | core/tee/tee_svc_storage.c | 20 |
1 files changed, 6 insertions, 14 deletions
diff --git a/core/tee/tee_svc_storage.c b/core/tee/tee_svc_storage.c index bdac25f7..5c8bb050 100644 --- a/core/tee/tee_svc_storage.c +++ b/core/tee/tee_svc_storage.c @@ -740,17 +740,13 @@ TEE_Result syscall_storage_next_enum(unsigned long obj_enum, goto exit; /* check rights of the provided buffers */ - res = tee_mmu_check_access_rights(&utc->uctx, - TEE_MEMORY_ACCESS_WRITE | - TEE_MEMORY_ACCESS_ANY_OWNER, + res = tee_mmu_check_access_rights(&utc->uctx, TEE_MEMORY_ACCESS_WRITE, (uaddr_t)info, sizeof(TEE_ObjectInfo)); if (res != TEE_SUCCESS) goto exit; - res = tee_mmu_check_access_rights(&utc->uctx, - TEE_MEMORY_ACCESS_WRITE | - TEE_MEMORY_ACCESS_ANY_OWNER, + res = tee_mmu_check_access_rights(&utc->uctx, TEE_MEMORY_ACCESS_WRITE, (uaddr_t)obj_id, TEE_OBJECT_ID_MAX_LEN); if (res != TEE_SUCCESS) @@ -787,7 +783,7 @@ TEE_Result syscall_storage_next_enum(unsigned long obj_enum, memcpy(obj_id, o->pobj->obj_id, o->pobj->obj_id_len); l = o->pobj->obj_id_len; - res = copy_to_user(len, &l, sizeof(*len)); + res = copy_to_user_private(len, &l, sizeof(*len)); exit: if (o) { @@ -835,9 +831,7 @@ TEE_Result syscall_storage_obj_read(unsigned long obj, void *data, size_t len, } /* check rights of the provided buffer */ - res = tee_mmu_check_access_rights(&utc->uctx, - TEE_MEMORY_ACCESS_WRITE | - TEE_MEMORY_ACCESS_ANY_OWNER, + res = tee_mmu_check_access_rights(&utc->uctx, TEE_MEMORY_ACCESS_WRITE, (uaddr_t)data, len); if (res != TEE_SUCCESS) goto exit; @@ -859,7 +853,7 @@ TEE_Result syscall_storage_obj_read(unsigned long obj, void *data, size_t len, o->info.dataPosition += bytes; u_count = bytes; - res = copy_to_user(count, &u_count, sizeof(*count)); + res = copy_to_user_private(count, &u_count, sizeof(*count)); exit: return res; } @@ -898,9 +892,7 @@ TEE_Result syscall_storage_obj_write(unsigned long obj, void *data, size_t len) } /* check rights of the provided buffer */ - res = tee_mmu_check_access_rights(&utc->uctx, - TEE_MEMORY_ACCESS_READ | - TEE_MEMORY_ACCESS_ANY_OWNER, + res = tee_mmu_check_access_rights(&utc->uctx, TEE_MEMORY_ACCESS_READ, (uaddr_t)data, len); if (res != TEE_SUCCESS) goto exit; |