FAILED: patch "[PATCH] tee: add overflow check in register_shm_helper()" failed to apply to 5.4-stable tree

FAILED: patch "[PATCH] tee: add overflow check in register_shm_helper()" failed to apply to 5.4-stable tree

[gregkh]

The patch below does not apply to the 5.4-stable tree.
If someone wants it applied there, or to any other stable or longterm
tree, then please email the backport, including the original git commit
id to <stable@vger.kernel.org>.

thanks,

greg k-h

------------------ original commit in Linus's tree ------------------

From 573ae4f13f630d6660008f1974c0a8a29c30e18a Mon Sep 17 00:00:00 2001
From: Jens Wiklander <jens.wiklander@linaro.org>
Date: Thu, 18 Aug 2022 13:08:59 +0200
Subject: [PATCH] tee: add overflow check in register_shm_helper()

With special lengths supplied by user space, register_shm_helper() has
an integer overflow when calculating the number of pages covered by a
supplied user space memory region.

This causes internal_get_user_pages_fast() a helper function of
pin_user_pages_fast() to do a NULL pointer dereference:

  Unable to handle kernel NULL pointer dereference at virtual address 0000000000000010
  Modules linked in:
  CPU: 1 PID: 173 Comm: optee_example_a Not tainted 5.19.0 #11
  Hardware name: QEMU QEMU Virtual Machine, BIOS 0.0.0 02/06/2015
  pc : internal_get_user_pages_fast+0x474/0xa80
  Call trace:
   internal_get_user_pages_fast+0x474/0xa80
   pin_user_pages_fast+0x24/0x4c
   register_shm_helper+0x194/0x330
   tee_shm_register_user_buf+0x78/0x120
   tee_ioctl+0xd0/0x11a0
   __arm64_sys_ioctl+0xa8/0xec
   invoke_syscall+0x48/0x114

Fix this by adding an an explicit call to access_ok() in
tee_shm_register_user_buf() to catch an invalid user space address
early.

Fixes: 033ddf12bcf5 ("tee: add register user memory")
Cc: stable@vger.kernel.org
Reported-by: Nimish Mishra <neelam.nimish@gmail.com>
Reported-by: Anirban Chakraborty <ch.anirban00727@gmail.com>
Reported-by: Debdeep Mukhopadhyay <debdeep.mukhopadhyay@gmail.com>
Suggested-by: Jerome Forissier <jerome.forissier@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

diff --git a/drivers/tee/tee_shm.c b/drivers/tee/tee_shm.c
index f2b1bcefcadd..1175f3a46859 100644
--- a/drivers/tee/tee_shm.c
+++ b/drivers/tee/tee_shm.c
@@ -326,6 +326,9 @@ struct tee_shm *tee_shm_register_user_buf(struct tee_context *ctx,
 	void *ret;
 	int id;
 
+	if (!access_ok((void __user *)addr, length))
+		return ERR_PTR(-EFAULT);
+
 	mutex_lock(&teedev->mutex);
 	id = idr_alloc(&teedev->idr, NULL, 1, 0, GFP_KERNEL);
 	mutex_unlock(&teedev->mutex);

Re: FAILED: patch "[PATCH] tee: add overflow check in register_shm_helper()" failed to apply to 5.4-stable tree

[Linus Torvalds]

On Sun, Aug 21, 2022 at 12:00 AM <gregkh@linuxfoundation.org> wrote:
>
>
> The patch below does not apply to the 5.4-stable tree.

Yeah, there's some major re-org made by commit 53e16519c2ec ("tee:
replace tee_shm_register()") and related in this area in v5.18.

I think you need to just add that

        if (!access_ok((void __user *)data.addr, data.length))
                return -EFAULT;

to tee_ioctl_shm_register() just before the call to tee_shm_register().

It's where it checks "data.flags" too:

        /* Currently no input flags are supported */
        if (data.flags)
                return -EINVAL;

so it lines up with that whole "check ioctl arguments in the memory
block we just copied".

But Jens should probably double-check that.

                Linus

Re: FAILED: patch "[PATCH] tee: add overflow check in register_shm_helper()" failed to apply to 5.4-stable tree

[Jens Wiklander]

On Sun, Aug 21, 2022 at 6:55 PM Linus Torvalds
<torvalds@linux-foundation.org> wrote:
>
> On Sun, Aug 21, 2022 at 12:00 AM <gregkh@linuxfoundation.org> wrote:
> >
> >
> > The patch below does not apply to the 5.4-stable tree.
>
> Yeah, there's some major re-org made by commit 53e16519c2ec ("tee:
> replace tee_shm_register()") and related in this area in v5.18.
>
> I think you need to just add that
>
>         if (!access_ok((void __user *)data.addr, data.length))
>                 return -EFAULT;
>
> to tee_ioctl_shm_register() just before the call to tee_shm_register().

That should work, but data.addr is a u64 so to avoid a warning like:
drivers/tee/tee_core.c:185:17: warning: cast to pointer from integer
of different size [-Wint-to-pointer-cast]
  185 |  if (!access_ok((void __user *)data.addr, data.length))

We should first cast it to an unsigned long or such first.

>
> It's where it checks "data.flags" too:
>
>         /* Currently no input flags are supported */
>         if (data.flags)
>                 return -EINVAL;
>
> so it lines up with that whole "check ioctl arguments in the memory
> block we just copied".
>
> But Jens should probably double-check that.

 I'll send a backported patch to take care of the warning I mentioned above.

Thanks,
Jens