On Sun, Aug 21, 2022 at 6:55 PM Linus Torvalds torvalds@linux-foundation.org wrote:
On Sun, Aug 21, 2022 at 12:00 AM gregkh@linuxfoundation.org wrote:
The patch below does not apply to the 5.4-stable tree.
Yeah, there's some major re-org made by commit 53e16519c2ec ("tee: replace tee_shm_register()") and related in this area in v5.18.
I think you need to just add that
if (!access_ok((void __user *)data.addr, data.length)) return -EFAULT;to tee_ioctl_shm_register() just before the call to tee_shm_register().
That should work, but data.addr is a u64 so to avoid a warning like: drivers/tee/tee_core.c:185:17: warning: cast to pointer from integer of different size [-Wint-to-pointer-cast] 185 | if (!access_ok((void __user *)data.addr, data.length))
We should first cast it to an unsigned long or such first.
It's where it checks "data.flags" too:
/* Currently no input flags are supported */ if (data.flags) return -EINVAL;so it lines up with that whole "check ioctl arguments in the memory block we just copied".
But Jens should probably double-check that.
I'll send a backported patch to take care of the warning I mentioned above.
Thanks, Jens