From e12c9f67d12c24a39ec0b98049e445bb3ae7a23e Mon Sep 17 00:00:00 2001 From: Jens Wiklander Date: Fri, 11 Sep 2020 09:54:10 +0200 Subject: core: strict buffer check in syscalls following GP 1.1 GP 1.1 [1] and also earlier specifications has certain annotation in the description of API functions to among other things describe which kind of memory a buffer is required to reside in. It could be readable, writeable, in shared memory in TA private memory. The following syscalls are updated with slightly stricter checks with regards to TA private memory where needed: - syscall_open_ta_session() - syscall_invoke_ta_command() - syscall_get_time() - syscall_set_ta_time() - syscall_cryp_obj_get_info() - syscall_cryp_random_number_generate() - syscall_authenc_dec_final() - syscall_storage_next_enum() - syscall_storage_obj_read() - syscall_storage_obj_write() [1]: GlobalPlatform TEE Internal Core API Specification v1.1 Acked-by: Etienne Carriere Reviewed-by: Jerome Forissier Signed-off-by: Jens Wiklander --- core/tee/tee_svc_storage.c | 20 ++++++-------------- 1 file changed, 6 insertions(+), 14 deletions(-) (limited to 'core/tee/tee_svc_storage.c') diff --git a/core/tee/tee_svc_storage.c b/core/tee/tee_svc_storage.c index bdac25f7..5c8bb050 100644 --- a/core/tee/tee_svc_storage.c +++ b/core/tee/tee_svc_storage.c @@ -740,17 +740,13 @@ TEE_Result syscall_storage_next_enum(unsigned long obj_enum, goto exit; /* check rights of the provided buffers */ - res = tee_mmu_check_access_rights(&utc->uctx, - TEE_MEMORY_ACCESS_WRITE | - TEE_MEMORY_ACCESS_ANY_OWNER, + res = tee_mmu_check_access_rights(&utc->uctx, TEE_MEMORY_ACCESS_WRITE, (uaddr_t)info, sizeof(TEE_ObjectInfo)); if (res != TEE_SUCCESS) goto exit; - res = tee_mmu_check_access_rights(&utc->uctx, - TEE_MEMORY_ACCESS_WRITE | - TEE_MEMORY_ACCESS_ANY_OWNER, + res = tee_mmu_check_access_rights(&utc->uctx, TEE_MEMORY_ACCESS_WRITE, (uaddr_t)obj_id, TEE_OBJECT_ID_MAX_LEN); if (res != TEE_SUCCESS) @@ -787,7 +783,7 @@ TEE_Result syscall_storage_next_enum(unsigned long obj_enum, memcpy(obj_id, o->pobj->obj_id, o->pobj->obj_id_len); l = o->pobj->obj_id_len; - res = copy_to_user(len, &l, sizeof(*len)); + res = copy_to_user_private(len, &l, sizeof(*len)); exit: if (o) { @@ -835,9 +831,7 @@ TEE_Result syscall_storage_obj_read(unsigned long obj, void *data, size_t len, } /* check rights of the provided buffer */ - res = tee_mmu_check_access_rights(&utc->uctx, - TEE_MEMORY_ACCESS_WRITE | - TEE_MEMORY_ACCESS_ANY_OWNER, + res = tee_mmu_check_access_rights(&utc->uctx, TEE_MEMORY_ACCESS_WRITE, (uaddr_t)data, len); if (res != TEE_SUCCESS) goto exit; @@ -859,7 +853,7 @@ TEE_Result syscall_storage_obj_read(unsigned long obj, void *data, size_t len, o->info.dataPosition += bytes; u_count = bytes; - res = copy_to_user(count, &u_count, sizeof(*count)); + res = copy_to_user_private(count, &u_count, sizeof(*count)); exit: return res; } @@ -898,9 +892,7 @@ TEE_Result syscall_storage_obj_write(unsigned long obj, void *data, size_t len) } /* check rights of the provided buffer */ - res = tee_mmu_check_access_rights(&utc->uctx, - TEE_MEMORY_ACCESS_READ | - TEE_MEMORY_ACCESS_ANY_OWNER, + res = tee_mmu_check_access_rights(&utc->uctx, TEE_MEMORY_ACCESS_READ, (uaddr_t)data, len); if (res != TEE_SUCCESS) goto exit; -- cgit v1.2.3