From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Mon, 22 Aug 2022 15:13:46 +0000 (+0200)
Subject: 4.19-stable patches
X-Git-Tag: v4.9.326~28
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=cbeb12b294ec45c8db0d8f09d8db037180d8076c;p=thirdparty%2Fkernel%2Fstable-queue.git

4.19-stable patches

added patches:
	tee-add-overflow-check-in-register_shm_helper.patch
---

diff --git a/queue-4.19/series b/queue-4.19/series
index e772f73369d..78fdd907efb 100644
--- a/queue-4.19/series
+++ b/queue-4.19/series
@@ -281,3 +281,4 @@ smb3-check-xattr-value-length-earlier.patch
 powerpc-64-init-jump-labels-before-parse_early_param.patch
 video-fbdev-i740fb-check-the-argument-of-i740_calc_v.patch
 mips-tlbex-explicitly-compare-_page_no_exec-against-.patch
+tee-add-overflow-check-in-register_shm_helper.patch
diff --git a/queue-4.19/tee-add-overflow-check-in-register_shm_helper.patch b/queue-4.19/tee-add-overflow-check-in-register_shm_helper.patch
new file mode 100644
index 00000000000..25ac9e8af9d
--- /dev/null
+++ b/queue-4.19/tee-add-overflow-check-in-register_shm_helper.patch
@@ -0,0 +1,62 @@
+From 573ae4f13f630d6660008f1974c0a8a29c30e18a Mon Sep 17 00:00:00 2001
+From: Jens Wiklander <jens.wiklander@linaro.org>
+Date: Thu, 18 Aug 2022 13:08:59 +0200
+Subject: tee: add overflow check in register_shm_helper()
+
+From: Jens Wiklander <jens.wiklander@linaro.org>
+
+commit 573ae4f13f630d6660008f1974c0a8a29c30e18a upstream.
+
+With special lengths supplied by user space, register_shm_helper() has
+an integer overflow when calculating the number of pages covered by a
+supplied user space memory region.
+
+This causes internal_get_user_pages_fast() a helper function of
+pin_user_pages_fast() to do a NULL pointer dereference:
+
+  Unable to handle kernel NULL pointer dereference at virtual address 0000000000000010
+  Modules linked in:
+  CPU: 1 PID: 173 Comm: optee_example_a Not tainted 5.19.0 #11
+  Hardware name: QEMU QEMU Virtual Machine, BIOS 0.0.0 02/06/2015
+  pc : internal_get_user_pages_fast+0x474/0xa80
+  Call trace:
+   internal_get_user_pages_fast+0x474/0xa80
+   pin_user_pages_fast+0x24/0x4c
+   register_shm_helper+0x194/0x330
+   tee_shm_register_user_buf+0x78/0x120
+   tee_ioctl+0xd0/0x11a0
+   __arm64_sys_ioctl+0xa8/0xec
+   invoke_syscall+0x48/0x114
+
+Fix this by adding an an explicit call to access_ok() in
+tee_shm_register_user_buf() to catch an invalid user space address
+early.
+
+Fixes: 033ddf12bcf5 ("tee: add register user memory")
+Cc: stable@vger.kernel.org
+Reported-by: Nimish Mishra <neelam.nimish@gmail.com>
+Reported-by: Anirban Chakraborty <ch.anirban00727@gmail.com>
+Reported-by: Debdeep Mukhopadhyay <debdeep.mukhopadhyay@gmail.com>
+Suggested-by: Jerome Forissier <jerome.forissier@linaro.org>
+Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+[JW: backport to stable-4.19 + update commit message]
+Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/tee/tee_core.c |    4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/tee/tee_core.c
++++ b/drivers/tee/tee_core.c
+@@ -175,6 +175,10 @@ tee_ioctl_shm_register(struct tee_contex
+ 	if (data.flags)
+ 		return -EINVAL;
+ 
++	if (!access_ok(VERIFY_WRITE, (void __user *)(unsigned long)data.addr,
++		       data.length))
++		return -EFAULT;
++
+ 	shm = tee_shm_register(ctx, data.addr, data.length,
+ 			       TEE_SHM_DMA_BUF | TEE_SHM_USER_MAPPED);
+ 	if (IS_ERR(shm))