On Sun, Aug 21, 2022 at 6:55 PM Linus Torvalds
<torvalds@xxxxxxxxxxxxxxxxxxxx> wrote:
>
> On Sun, Aug 21, 2022 at 12:00 AM <gregkh@xxxxxxxxxxxxxxxxxxx> wrote:
> >
> >
> > The patch below does not apply to the 5.4-stable tree.
>
> Yeah, there's some major re-org made by commit 53e16519c2ec ("tee:
> replace tee_shm_register()") and related in this area in v5.18.
>
> I think you need to just add that
>
> if (!access_ok((void __user *)data.addr, data.length))
> return -EFAULT;
>
> to tee_ioctl_shm_register() just before the call to tee_shm_register().
That should work, but data.addr is a u64 so to avoid a warning like:
drivers/tee/tee_core.c:185:17: warning: cast to pointer from integer
of different size [-Wint-to-pointer-cast]
185 | if (!access_ok((void __user *)data.addr, data.length))
We should first cast it to an unsigned long or such first.
>
> It's where it checks "data.flags" too:
>
> /* Currently no input flags are supported */
> if (data.flags)
> return -EINVAL;
>
> so it lines up with that whole "check ioctl arguments in the memory
> block we just copied".
>
> But Jens should probably double-check that.
I'll send a backported patch to take care of the warning I mentioned above.
Thanks,
Jens
