Re: [PATCH] tee: Prevent size calculation wraparound on 32-bit kernels

From: David Laight
Date: Fri May 02 2025 - 08:42:17 EST

Next message: Christian Brauner: "[PATCH RFC v2 0/6] coredump: support AF_UNIX sockets"
Previous message: Thomas Weißschuh: "[PATCH 7/7] selftests: vDSO: vdso_config: Avoid -Wunused-variables"
In reply to: Jann Horn: "Re: [PATCH] tee: Prevent size calculation wraparound on 32-bit kernels"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Fri, 2 May 2025 14:28:21 +0200
Jann Horn <jannh@xxxxxxxxxx> wrote:

> On Thu, May 1, 2025 at 10:02 PM David Laight
> <david.laight.linux@xxxxxxxxx> wrote:
> >
> > On Mon, 28 Apr 2025 15:06:43 +0200
> > Jann Horn <jannh@xxxxxxxxxx> wrote:
> >
> > > The current code around TEE_IOCTL_PARAM_SIZE() is a bit wrong on
> > > 32-bit kernels: Multiplying a user-provided 32-bit value with the
> > > size of a structure can wrap around on such platforms.
> > >
> > > Fix it by using saturating arithmetic for the size calculation.
> >
> > Why not just add a sanity check on 'num_params' after it is read.
> > Max is 31 (1024-32)/32), but any sane limit will do because of
> > the buf.buf_len test.
>
> That would work, too. I don't know which way looks nicer.

The saturating arithmetic functions are non-obvious and non-trivial.
I looked at the code to check where buf.buf_len came from,
without its sanity check the user could craft a request where it
matched the saturated size.

I think I'd sanity check the number of items and then check that that
buffer length is right for the number of items.

David

Next message: Christian Brauner: "[PATCH RFC v2 0/6] coredump: support AF_UNIX sockets"
Previous message: Thomas Weißschuh: "[PATCH 7/7] selftests: vDSO: vdso_config: Avoid -Wunused-variables"
In reply to: Jann Horn: "Re: [PATCH] tee: Prevent size calculation wraparound on 32-bit kernels"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]