You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Then the check in 741, i.e:
if (c_shm->flags & TEEC_MEM_KAPI) {
//Now, kc_shm is User Controlled.
struct tee_shm *kc_shm = (struct tee_shm *)c_shm->d.ptr;
if (!kc_shm) {
dev_err(_DEV(tee), "kapi fd null\n");
ret = -EINVAL;
goto err;
}
// Here shm->paddr is controlled by user.
shm->paddr = kc_shm->paddr;
This could be exploited to pass arbitrary physical address to Trustlets.
The text was updated successfully, but these errors were encountered:
In https://github.com/OP-TEE/optee_linuxdriver/blob/master/core/tee_session.c#L600, param->c_shm[idx] is copied from user.
In https://github.com/OP-TEE/optee_linuxdriver/blob/master/core/tee_session.c#L628, where we call tee_shm_get:
tee_shm_get(ctx, ¶m->c_shm[idx], size, offset)
Then in function: tee_shm_get (https://github.com/OP-TEE/optee_linuxdriver/blob/master/core/tee_shm.c#L716) , Here, c_shm is copied from user (i.e param->c_shm[idx]).
Then the check in 741, i.e:
if (c_shm->flags & TEEC_MEM_KAPI) {
//Now, kc_shm is User Controlled.
struct tee_shm *kc_shm = (struct tee_shm *)c_shm->d.ptr;
This could be exploited to pass arbitrary physical address to Trustlets.
The text was updated successfully, but these errors were encountered: