Commit af50130d authored Nov 26, 2022 by Jens Wiklander Committed by Zheng Zengkai Nov 26, 2022

tee: fix memory leak in tee_shm_register()

stable inclusion
from stable-v5.10.138
commit 606fe84a41851ab8307bb6096189dc8f4c8ba16b
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/I60QFD

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=606fe84a41851ab8307bb6096189dc8f4c8ba16b



--------------------------------

Moves the access_ok() check for valid memory range from user space from
the function tee_shm_register() to tee_ioctl_shm_register(). With this
we error out early before anything is done that must be undone on error.

Fixes: 578c349570d2 ("tee: add overflow check in register_shm_helper()")
Cc: stable@vger.kernel.org # 5.10
Reported-by: Pavel Machek <pavel@denx.de>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Zheng Zengkai <zhengzengkai@huawei.com>
Reviewed-by: Wei Li <liwei391@huawei.com>

parent f4566002

drivers/tee/tee_core.c

+3 −0

Original line number	Diff line number	Diff line
		@@ -334,6 +334,9 @@ tee_ioctl_shm_register(struct tee_context *ctx,
		if (data.flags)
		return -EINVAL;

		if (!access_ok((void __user *)(unsigned long)data.addr, data.length))
		return -EFAULT;

		shm = tee_shm_register(ctx, data.addr, data.length,
		TEE_SHM_DMA_BUF \| TEE_SHM_USER_MAPPED);
		if (IS_ERR(shm))

drivers/tee/tee_shm.c

+0 −3

Original line number	Diff line number	Diff line
		@@ -222,9 +222,6 @@ struct tee_shm tee_shm_register(struct tee_context ctx, unsigned long addr,
		goto err;
		}

		if (!access_ok((void __user *)addr, length))
		return ERR_PTR(-EFAULT);

		mutex_lock(&teedev->mutex);
		shm->id = idr_alloc(&teedev->idr, shm, 1, 0, GFP_KERNEL);
		mutex_unlock(&teedev->mutex);