Patch "tee: fix memory leak in tee_shm_register()" has been added to the 5.10-stable tree

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

This is a note to let you know that I've just added the patch titled

    tee: fix memory leak in tee_shm_register()

to the 5.10-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     tee-fix-memory-leak-in-tee_shm_register.patch
and it can be found in the queue-5.10 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.


>From jens.wiklander@xxxxxxxxxx  Tue Aug 23 10:28:47 2022
From: Jens Wiklander <jens.wiklander@xxxxxxxxxx>
Date: Tue, 23 Aug 2022 10:23:26 +0200
Subject: tee: fix memory leak in tee_shm_register()
To: stable@xxxxxxxxxxxxxxx
Cc: Greg KH <gregkh@xxxxxxxxxxxxxxxxxxx>, Jens Wiklander <jens.wiklander@xxxxxxxxxx>, Pavel Machek <pavel@xxxxxxx>
Message-ID: <20220823082326.9155-1-jens.wiklander@xxxxxxxxxx>

From: Jens Wiklander <jens.wiklander@xxxxxxxxxx>

Moves the access_ok() check for valid memory range from user space from
the function tee_shm_register() to tee_ioctl_shm_register(). With this
we error out early before anything is done that must be undone on error.

Fixes: 578c349570d2 ("tee: add overflow check in register_shm_helper()")
Cc: stable@xxxxxxxxxxxxxxx # 5.10
Reported-by: Pavel Machek <pavel@xxxxxxx>
Signed-off-by: Jens Wiklander <jens.wiklander@xxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
 drivers/tee/tee_core.c |    3 +++
 drivers/tee/tee_shm.c  |    3 ---
 2 files changed, 3 insertions(+), 3 deletions(-)

--- a/drivers/tee/tee_core.c
+++ b/drivers/tee/tee_core.c
@@ -334,6 +334,9 @@ tee_ioctl_shm_register(struct tee_contex
 	if (data.flags)
 		return -EINVAL;
 
+	if (!access_ok((void __user *)(unsigned long)data.addr, data.length))
+		return -EFAULT;
+
 	shm = tee_shm_register(ctx, data.addr, data.length,
 			       TEE_SHM_DMA_BUF | TEE_SHM_USER_MAPPED);
 	if (IS_ERR(shm))
--- a/drivers/tee/tee_shm.c
+++ b/drivers/tee/tee_shm.c
@@ -222,9 +222,6 @@ struct tee_shm *tee_shm_register(struct
 		goto err;
 	}
 
-	if (!access_ok((void __user *)addr, length))
-		return ERR_PTR(-EFAULT);
-
 	mutex_lock(&teedev->mutex);
 	shm->id = idr_alloc(&teedev->idr, shm, 1, 0, GFP_KERNEL);
 	mutex_unlock(&teedev->mutex);


Patches currently in stable-queue which might be from jens.wiklander@xxxxxxxxxx are

queue-5.10/tee-fix-memory-leak-in-tee_shm_register.patch
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Linux USB Devel]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux