]> git.ipfire.org Git - thirdparty/kernel/stable.git/commit
projects / thirdparty / kernel / stable.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 26104d8) | patch
tee: Prevent size calculation wraparound on 32-bit kernels
authorJann Horn <jannh@google.com>
Mon, 28 Apr 2025 13:06:43 +0000 (15:06 +0200)
committerJens Wiklander <jens.wiklander@linaro.org>
Wed, 30 Apr 2025 12:57:03 +0000 (14:57 +0200)
commit39bb67edcc582b3b386a9ec983da67fa8a10ec03
tree39adeb70868ae40467e5266129da951cfd51541btree
parent26104d81567376b2038c4f52c90d849ee32639a9commit | diff
tee: Prevent size calculation wraparound on 32-bit kernels

The current code around TEE_IOCTL_PARAM_SIZE() is a bit wrong on
32-bit kernels: Multiplying a user-provided 32-bit value with the
size of a structure can wrap around on such platforms.

Fix it by using saturating arithmetic for the size calculation.

This has no security consequences because, in all users of
TEE_IOCTL_PARAM_SIZE(), the subsequent kcalloc() implicitly checks
for wrapping.

Signed-off-by: Jann Horn <jannh@google.com>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Tested-by: Rouven Czerwinski <rouven.czerwinski@linaro.org>
drivers/tee/tee_core.c diff | blob | blame | history
Mirror https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git