From: sashiko-bot@kernel.org
To: "Sebastian Ene" <sebastianene@google.com>
Cc: kvmarm@lists.linux.dev, "Marc Zyngier" <maz@kernel.org>,
"Oliver Upton" <oupton@kernel.org>
Subject: Re: [PATCH v7 1/7] optee: ffa: Add NULL check in optee_ffa_lend_protmem
Date: Wed, 17 Jun 2026 15:07:52 +0000 [thread overview]
Message-ID: <20260617150752.BBBEC1F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260617145130.3729015-2-sebastianene@google.com>
Thank you for your contribution! Sashiko AI review found 3 potential issue(s) to consider:
Pre-existing issues:
- [Critical] Integer division truncation when validating the TEE's response size in `get_protmem_config` allows out-of-bounds memory accesses and NULL pointer dereferences.
- [High] A malicious or compromised TEE returning TEEC_SUCCESS with a non-zero attribute size when no buffer was supplied causes a NULL pointer dereference in `optee_ffa_lend_protmem`.
- [High] The `optee_protmem_dyn_pool` structure leaks its `mem_attrs` array when the pool is destroyed.
--
commit e70191e60cbc95a8fabdaddc766ad1d432febd3b
Author: Mostafa Saleh <smostafa@google.com>
optee: ffa: Add NULL check in optee_ffa_lend_protmem
Sashiko (locally) reports a possible null dereference under memory
pressure due to the lack of validation of the allocated pointer. Fix that
by adding the missing check.
> diff --git a/drivers/tee/optee/ffa_abi.c b/drivers/tee/optee/ffa_abi.c
> index b4372fa268d03..633715b98625c 100644
> --- a/drivers/tee/optee/ffa_abi.c
> +++ b/drivers/tee/optee/ffa_abi.c
> @@ -698,6 +698,9 @@ static int optee_ffa_lend_protmem(struct optee *optee, struct tee_shm *protmem,
> int rc;
>
> mem_attr = kzalloc_objs(*mem_attr, ma_count);
> + if (!mem_attr)
> + return -ENOMEM;
> +
> for (n = 0; n < ma_count; n++) {
> mem_attr[n].receiver = mem_attrs[n] & U16_MAX;
[Severity: High]
This is a pre-existing issue, but can this lead to a NULL pointer
dereference of the mem_attrs array if the TEE returns malformed data?
If get_protmem_config() in drivers/tee/optee/protmem.c is called with
mem_attrs == NULL to probe the array size, and the TEE returns
TEEC_SUCCESS (0) with params[1].u.memref.size > 0:
drivers/tee/optee/protmem.c:get_protmem_config() {
...
*ma_count = params[1].u.memref.size / sizeof(*mem_attrs);
...
}
This skips the TEEC_ERROR_SHORT_BUFFER check. The caller
optee_protmem_alloc_dyn_pool() sees rc == 0:
drivers/tee/optee/protmem.c:optee_protmem_alloc_dyn_pool() {
...
if (rc) {
if (rc != -ENOSPC)
goto err;
...
}
This bypasses the allocation of rp->mem_attrs, leaving it NULL while
rp->mem_attr_count is > 0. When init_dyn_protmem() later calls
optee_ffa_lend_protmem(), doesn't the loop here dereference the NULL
mem_attrs array?
[Severity: High]
This isn't a bug introduced by this patch, but does
optee_protmem_dyn_pool leak its mem_attrs array?
In optee_protmem_alloc_dyn_pool(), rp->mem_attrs is dynamically
allocated:
drivers/tee/optee/protmem.c:optee_protmem_alloc_dyn_pool() {
...
rp->mem_attrs = kcalloc(rp->mem_attr_count,
sizeof(*rp->mem_attrs), GFP_KERNEL);
...
}
However, in the destruction path pool_op_dyn_destroy_pool(), it appears
the array is not freed before destroying the pool:
drivers/tee/optee/protmem.c:pool_op_dyn_destroy_pool() {
...
mutex_destroy(&rp->mutex);
kfree(rp);
}
If dynamic pools are repeatedly created and destroyed, could this leak
memory on every destruction cycle?
[Severity: Critical]
This is a pre-existing issue, but does the size validation in
get_protmem_config() suffer from integer division truncation?
If the TEE returns a size that is not a multiple of the struct size
(e.g., 7 when *ma_count is 1), does this check fail to catch the invalid
size?
drivers/tee/optee/protmem.c:get_protmem_config() {
...
if (!msg_arg->ret && mem_attrs &&
*ma_count < params[1].u.memref.size / sizeof(*mem_attrs)) {
...
}
Since 7 / 4 evaluates to 1, the condition 1 < 1 is false. Would this
bypass the error path and lead to an out-of-bounds memcpy?
drivers/tee/optee/protmem.c:get_protmem_config() {
...
if (mem_attrs)
memcpy(mem_attrs, tee_shm_get_va(shm_param, 0),
params[1].u.memref.size);
...
}
Additionally, on the initial probe where mem_attrs == NULL, if the TEE
returns a size of 3, rp->mem_attr_count becomes 0. On the second call,
kcalloc(0, 4) returns ZERO_SIZE_PTR. If the TEE again returns size 3,
the check evaluates to 0 < 0 (false). Would this result in passing NULL
to tee_shm_get_va() and causing a NULL pointer dereference inside that
function?
> mem_attr[n].attrs = mem_attrs[n] >> 16;
> }
> args.attrs = mem_attr;
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260617145130.3729015-1-sebastianene@google.com?part=1
next prev parent reply other threads:[~2026-06-17 15:07 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-17 14:51 [PATCH v7 0/7] arm_ffa, KVM: Fix FF-A emad offset calculations Sebastian Ene
2026-06-17 14:51 ` Sebastian Ene via OP-TEE
2026-06-17 14:51 ` [PATCH v7 1/7] optee: ffa: Add NULL check in optee_ffa_lend_protmem Sebastian Ene
2026-06-17 14:51 ` Sebastian Ene via OP-TEE
2026-06-17 15:07 ` sashiko-bot [this message]
2026-06-17 14:51 ` [PATCH v7 2/7] firmware: arm_ffa: Fix out-of-bound writes in ffa_setup_and_transmit() Sebastian Ene
2026-06-17 14:51 ` Sebastian Ene via OP-TEE
2026-06-17 14:51 ` [PATCH v7 3/7] firmware: arm_ffa: Fix Endpoint Memory Access Descriptor offset calculation Sebastian Ene
2026-06-17 14:51 ` Sebastian Ene via OP-TEE
2026-06-17 14:51 ` [PATCH v7 4/7] KVM: arm64: Fix bounds checking in do_ffa_mem_reclaim() Sebastian Ene
2026-06-17 14:51 ` Sebastian Ene via OP-TEE
2026-06-17 15:18 ` sashiko-bot
2026-06-17 14:51 ` [PATCH v7 5/7] KVM: arm64: Validate the offset to the mem access descriptor Sebastian Ene
2026-06-17 14:51 ` Sebastian Ene via OP-TEE
2026-06-17 14:51 ` [PATCH v7 6/7] KVM: arm64: Ensure FFA ranges are page aligned Sebastian Ene
2026-06-17 14:51 ` Sebastian Ene via OP-TEE
2026-06-17 14:51 ` [PATCH v7 7/7] KVM: arm64: Zero out the stack initialized data in the FFA handler Sebastian Ene
2026-06-17 14:51 ` Sebastian Ene via OP-TEE
2026-06-17 15:29 ` sashiko-bot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260617150752.BBBEC1F000E9@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=kvmarm@lists.linux.dev \
--cc=maz@kernel.org \
--cc=oupton@kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
--cc=sebastianene@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.