tee: Prevent size calculation wraparound on 32-bit kernels

[ Upstream commit 39bb67edcc582b3b386a9ec983da67fa8a10ec03 ]

The current code around TEE_IOCTL_PARAM_SIZE() is a bit wrong on
32-bit kernels: Multiplying a user-provided 32-bit value with the
size of a structure can wrap around on such platforms.

Fix it by using saturating arithmetic for the size calculation.

This has no security consequences because, in all users of
TEE_IOCTL_PARAM_SIZE(), the subsequent kcalloc() implicitly checks
for wrapping.

Signed-off-by: Jann Horn <jannh@google.com>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Tested-by: Rouven Czerwinski <rouven.czerwinski@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>

diff --git a/drivers/tee/tee_core.c b/drivers/tee/tee_core.c
index 9cc4a7b63b0d6068faa29d65ab7c44be59081716..e6de0e80b793eb7e679706f5d9096374a86056fd 100644 (file)
--- a/drivers/tee/tee_core.c
+++ b/drivers/tee/tee_core.c
@@ -10,6 +10,7 @@
 #include <linux/fs.h>
 #include <linux/idr.h>
 #include <linux/module.h>
+#include <linux/overflow.h>
 #include <linux/slab.h>
 #include <linux/tee_drv.h>
 #include <linux/uaccess.h>
@@ -19,7 +20,7 @@
 
 #define TEE_NUM_DEVICES        32
 
-#define TEE_IOCTL_PARAM_SIZE(x) (sizeof(struct tee_param) * (x))
+#define TEE_IOCTL_PARAM_SIZE(x) (size_mul(sizeof(struct tee_param), (x)))
 
 #define TEE_UUID_NS_NAME_SIZE  128
 
@@ -492,7 +493,7 @@ static int tee_ioctl_open_session(struct tee_context *ctx,
        if (copy_from_user(&arg, uarg, sizeof(arg)))
                return -EFAULT;
 
-       if (sizeof(arg) + TEE_IOCTL_PARAM_SIZE(arg.num_params) != buf.buf_len)
+       if (size_add(sizeof(arg), TEE_IOCTL_PARAM_SIZE(arg.num_params)) != buf.buf_len)
                return -EINVAL;
 
        if (arg.num_params) {
@@ -570,7 +571,7 @@ static int tee_ioctl_invoke(struct tee_context *ctx,
        if (copy_from_user(&arg, uarg, sizeof(arg)))
                return -EFAULT;
 
-       if (sizeof(arg) + TEE_IOCTL_PARAM_SIZE(arg.num_params) != buf.buf_len)
+       if (size_add(sizeof(arg), TEE_IOCTL_PARAM_SIZE(arg.num_params)) != buf.buf_len)
                return -EINVAL;
 
        if (arg.num_params) {
@@ -704,7 +705,7 @@ static int tee_ioctl_supp_recv(struct tee_context *ctx,
        if (get_user(num_params, &uarg->num_params))
                return -EFAULT;
 
-       if (sizeof(*uarg) + TEE_IOCTL_PARAM_SIZE(num_params) != buf.buf_len)
+       if (size_add(sizeof(*uarg), TEE_IOCTL_PARAM_SIZE(num_params)) != buf.buf_len)
                return -EINVAL;
 
        params = kcalloc(num_params, sizeof(struct tee_param), GFP_KERNEL);
@@ -803,7 +804,7 @@ static int tee_ioctl_supp_send(struct tee_context *ctx,
            get_user(num_params, &uarg->num_params))
                return -EFAULT;
 
-       if (sizeof(*uarg) + TEE_IOCTL_PARAM_SIZE(num_params) > buf.buf_len)
+       if (size_add(sizeof(*uarg), TEE_IOCTL_PARAM_SIZE(num_params)) > buf.buf_len)
                return -EINVAL;
 
        params = kcalloc(num_params, sizeof(struct tee_param), GFP_KERNEL);