core: verify number of TEE parameters used for standard invocation

etienne-lms · GseoC · commit 0f631da995da · 2022-10-20T09:51:29.000+02:00
Adds missing tests on the number of TEE parameters used to invoke OP-TEE using standard message entry. The max supported value is given by GPD TEE specification as TEE_NUM_PARAMS. Change-Id: Ibd1b72b6685b3c6c00b19963f1cf64c4f3638498 Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org> Reviewed-on: https://gerrit.st.com/c/mpu/oe/optee/optee_os/+/271365 Reviewed-by: CITOOLS <MDG-smet-aci-reviews@list.st.com> Reviewed-by: CIBUILD <MDG-smet-aci-builds@list.st.com> Reviewed-by: Etienne CARRIERE <etienne.carriere@foss.st.com> Reviewed-by: Gatien CHEVALLIER <gatien.chevallier@st.com> Tested-by: Etienne CARRIERE <etienne.carriere@foss.st.com> Domain-Review: Lionel DEBIEVE <lionel.debieve@foss.st.com>
diff --git a/core/tee/entry_std.c b/core/tee/entry_std.c
@@ -358,14 +358,21 @@ static void entry_open_session(struct optee_msg_arg *arg, uint32_t num_params)
 	TEE_UUID uuid;
 	struct tee_ta_param param;
 	size_t num_meta;
+	size_t num_sess_params = 0;
 	uint64_t saved_attr[TEE_NUM_PARAMS] = { 0 };
 
 	res = get_open_session_meta(num_params, arg->params, &num_meta, &uuid,
 				    &clnt_id);
 	if (res != TEE_SUCCESS)
 		goto out;
 
-	res = copy_in_params(arg->params + num_meta, num_params - num_meta,
+	if (SUB_OVERFLOW(num_params, num_meta, &num_sess_params) ||
+	    num_sess_params > TEE_NUM_PARAMS) {
+		res = TEE_ERROR_BAD_PARAMETERS;
+		goto out;
+	}
+
+	res = copy_in_params(arg->params + num_meta, num_sess_params,
 			     &param, saved_attr);
 	if (res != TEE_SUCCESS)
 		goto cleanup_shm_refs;
@@ -374,7 +381,7 @@ static void entry_open_session(struct optee_msg_arg *arg, uint32_t num_params)
 				  &clnt_id, TEE_TIMEOUT_INFINITE, &param);
 	if (res != TEE_SUCCESS)
 		s = NULL;
-	copy_out_param(&param, num_params - num_meta, arg->params + num_meta,
+	copy_out_param(&param, num_sess_params, arg->params + num_meta,
 		       saved_attr);
 
 	/*
@@ -386,7 +393,7 @@ static void entry_open_session(struct optee_msg_arg *arg, uint32_t num_params)
 				     &session_pnum);
 
 cleanup_shm_refs:
-	cleanup_shm_refs(saved_attr, &param, num_params - num_meta);
+	cleanup_shm_refs(saved_attr, &param, num_sess_params);
 
 out:
 	if (s)
@@ -427,14 +434,19 @@ static void entry_invoke_command(struct optee_msg_arg *arg, uint32_t num_params)
 
 	bm_timestamp();
 
+	if (num_params > TEE_NUM_PARAMS) {
+		res = TEE_ERROR_BAD_PARAMETERS;
+		goto out;
+	}
+
 	res = copy_in_params(arg->params, num_params, &param, saved_attr);
 	if (res != TEE_SUCCESS)
-		goto out;
+		goto cleanup_shm_refs;
 
 	s = tee_ta_get_session(arg->session, true, &tee_open_sessions);
 	if (!s) {
 		res = TEE_ERROR_BAD_PARAMETERS;
-		goto out;
+		goto cleanup_shm_refs;
 	}
 
 	res = tee_ta_invoke_command(&err_orig, s, NSAPP_IDENTITY,
@@ -446,9 +458,10 @@ static void entry_invoke_command(struct optee_msg_arg *arg, uint32_t num_params)
 
 	copy_out_param(&param, num_params, arg->params, saved_attr);
 
-out:
+cleanup_shm_refs:
 	cleanup_shm_refs(saved_attr, &param, num_params);
 
+out:
 	arg->ret = res;
 	arg->ret_origin = err_orig;
 }
