]> git.ipfire.org Git - thirdparty/kernel/stable-queue.git/commitdiff
projects / thirdparty / kernel / stable-queue.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 117da82)
updated queue-5.4/tee-add-overflow-check-in-register_shm_helper.patch
authorGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Mon, 22 Aug 2022 10:01:54 +0000 (12:01 +0200)
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Mon, 22 Aug 2022 10:01:54 +0000 (12:01 +0200)
queue-5.4/series patch | blob | blame | history
queue-5.4/tee-add-overflow-check-in-register_shm_helper.patch patch | blob | blame | history

diff --git a/queue-5.4/series b/queue-5.4/series
index e8634929a9bf6554735b26224633d7947c1e49b9..5ce30ede81b77163a8c4a3ff678d0d950dab608e 100644 (file)
--- a/queue-5.4/series
+++ b/queue-5.4/series
@@ -281,7 +281,6 @@ tcp-fix-over-estimation-in-sk_forced_mem_schedule.patch
 scsi-sg-allow-waiting-for-commands-to-complete-on-removed-device.patch
 revert-net-usb-ax88179_178a-needs-flag_send_zlp.patch
 bluetooth-l2cap-fix-l2cap_global_chan_by_psm-regression.patch
-tee-add-overflow-check-in-register_shm_helper.patch
 net-9p-initialize-the-iounit-field-during-fid-creation.patch
 net_sched-cls_route-disallow-handle-of-0.patch
 alsa-info-fix-llseek-return-value-when-using-callback.patch
@@ -326,3 +325,4 @@ nfp-ethtool-fix-the-display-error-of-ethtool-m-devname.patch
 xen-xenbus-fix-return-type-in-xenbus_file_read.patch
 atm-idt77252-fix-use-after-free-bugs-caused-by-tst_timer.patch
 dpaa2-eth-trace-the-allocated-address-instead-of-page-struct.patch
+tee-add-overflow-check-in-register_shm_helper.patch
diff --git a/queue-5.4/tee-add-overflow-check-in-register_shm_helper.patch b/queue-5.4/tee-add-overflow-check-in-register_shm_helper.patch
index 9a87677089dd45328c1b3ec8ddb78a16419a173e..381c7e8dbba5fad54589dfbbe16010db1c8abeb9 100644 (file)
--- a/queue-5.4/tee-add-overflow-check-in-register_shm_helper.patch
+++ b/queue-5.4/tee-add-overflow-check-in-register_shm_helper.patch
@@ -40,20 +40,22 @@ Reported-by: Debdeep Mukhopadhyay <debdeep.mukhopadhyay@gmail.com>
 Suggested-by: Jerome Forissier <jerome.forissier@linaro.org>
 Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+[JW: backport to stable-5.4 + update commit message]
+Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 ---
- drivers/tee/tee_shm.c |    3 +++
+ drivers/tee/tee_core.c |    3 +++
  1 file changed, 3 insertions(+)
 
---- a/drivers/tee/tee_shm.c
-+++ b/drivers/tee/tee_shm.c
-@@ -239,6 +239,9 @@ struct tee_shm *tee_shm_register(struct
-               goto err;
-       }
+--- a/drivers/tee/tee_core.c
++++ b/drivers/tee/tee_core.c
+@@ -182,6 +182,9 @@ tee_ioctl_shm_register(struct tee_contex
+       if (data.flags)
+               return -EINVAL;
  
-+      if (!access_ok((void __user *)addr, length))
-+              return ERR_PTR(-EFAULT);
++      if (!access_ok((void __user *)(unsigned long)data.addr, data.length))
++              return -EFAULT;
 +
-       mutex_lock(&teedev->mutex);
-       list_add_tail(&shm->link, &ctx->list_shm);
-       mutex_unlock(&teedev->mutex);
+       shm = tee_shm_register(ctx, data.addr, data.length,
+                              TEE_SHM_DMA_BUF | TEE_SHM_USER_MAPPED);
+       if (IS_ERR(shm))
Mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/stable-queue.git