On Tue, Nov 08, 2022 at 11:42:01AM +0530, Sumit Garg wrote:
> Hi Greg,
>
> On Mon, 22 Aug 2022 at 18:42, Jens Wiklander <jens.wiklander@xxxxxxxxxx> wrote:
> >
> > commit 573ae4f13f630d6660008f1974c0a8a29c30e18a upstream.
> >
> > With special lengths supplied by user space, tee_shm_register() has
> > an integer overflow when calculating the number of pages covered by a
> > supplied user space memory region.
> >
> > This may cause pin_user_pages_fast() to do a NULL pointer dereference.
> >
> > Fix this by adding an an explicit call to access_ok() in
> > tee_ioctl_shm_register() to catch an invalid user space address early.
> >
> > Fixes: 033ddf12bcf5 ("tee: add register user memory")
> > Cc: stable@xxxxxxxxxxxxxxx # 5.4
> > Cc: stable@xxxxxxxxxxxxxxx # 5.10
> > Reported-by: Nimish Mishra <neelam.nimish@xxxxxxxxx>
> > Reported-by: Anirban Chakraborty <ch.anirban00727@xxxxxxxxx>
> > Reported-by: Debdeep Mukhopadhyay <debdeep.mukhopadhyay@xxxxxxxxx>
> > Suggested-by: Jerome Forissier <jerome.forissier@xxxxxxxxxx>
> > Signed-off-by: Linus Torvalds <torvalds@xxxxxxxxxxxxxxxxxxxx>
> > [JW: backport to stable 5.4 and 5.10 + update commit message]
> > Signed-off-by: Jens Wiklander <jens.wiklander@xxxxxxxxxx>
> > ---
> > drivers/tee/tee_core.c | 3 +++
> > 1 file changed, 3 insertions(+)
> >
>
> The v5.15 backport [1] for this fix has broken the kernel consumers
> for tee_shm_register(), the trusted keys driver is one of them
> reported here [2]. We need to fix that up with the following change
> [3]. Would you like to revert the backport and apply the correct one
> or should I prepare a fix patch for the following [3]?
A fixup patch is fine if needed, along with the description of why the
backport was broken. Note, this commit went much further back than
5.15, so be sure to check older kernels too.
thanks,
greg k-h
