tjh.dev
Linux kernel mirror (for testing)
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel
os
linux
Merge tag 'tee-for-v6.16' of https://git.kernel.org/pub/scm/linux/kernel/git/jenswi/linux-tee into soc/drivers
Small TEE updates for v6.16
- Remove an unnecessary NULL check before release_firmware() in the
OP-TEE driver
- Prevent a size wrap in the TEE subsystem. The wrap would have been caught
later in the code so no security consequences.
* tag 'tee-for-v6.16' of https://git.kernel.org/pub/scm/linux/kernel/git/jenswi/linux-tee:
tee: Prevent size calculation wraparound on 32-bit kernels
tee: optee: smc: remove unnecessary NULL check before release_firmware()
Link: https://lore.kernel.org/r/20250509065114.GA4188600@rayden
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+7
-7
+1
-2
drivers/tee/optee/smc_abi.c
+1
-2
drivers/tee/optee/smc_abi.c
+6
-5
drivers/tee/tee_core.c
+6
-5
drivers/tee/tee_core.c
···
10
10
#include <linux/fs.h>
11
11
#include <linux/idr.h>
12
12
#include <linux/module.h>
13
+
#include <linux/overflow.h>
13
14
#include <linux/slab.h>
14
15
#include <linux/tee_core.h>
15
16
#include <linux/uaccess.h>
···
20
19
21
20
#define TEE_NUM_DEVICES 32
22
21
23
-
#define TEE_IOCTL_PARAM_SIZE(x) (sizeof(struct tee_param) * (x))
22
+
#define TEE_IOCTL_PARAM_SIZE(x) (size_mul(sizeof(struct tee_param), (x)))
24
23
25
24
#define TEE_UUID_NS_NAME_SIZE 128
26
25
···
488
487
if (copy_from_user(&arg, uarg, sizeof(arg)))
489
488
return -EFAULT;
490
489
491
-
if (sizeof(arg) + TEE_IOCTL_PARAM_SIZE(arg.num_params) != buf.buf_len)
490
+
if (size_add(sizeof(arg), TEE_IOCTL_PARAM_SIZE(arg.num_params)) != buf.buf_len)
492
491
return -EINVAL;
493
492
494
493
if (arg.num_params) {
···
566
565
if (copy_from_user(&arg, uarg, sizeof(arg)))
567
566
return -EFAULT;
568
567
569
-
if (sizeof(arg) + TEE_IOCTL_PARAM_SIZE(arg.num_params) != buf.buf_len)
568
+
if (size_add(sizeof(arg), TEE_IOCTL_PARAM_SIZE(arg.num_params)) != buf.buf_len)
570
569
return -EINVAL;
571
570
572
571
if (arg.num_params) {
···
700
699
if (get_user(num_params, &uarg->num_params))
701
700
return -EFAULT;
702
701
703
-
if (sizeof(*uarg) + TEE_IOCTL_PARAM_SIZE(num_params) != buf.buf_len)
702
+
if (size_add(sizeof(*uarg), TEE_IOCTL_PARAM_SIZE(num_params)) != buf.buf_len)
704
703
return -EINVAL;
705
704
706
705
params = kcalloc(num_params, sizeof(struct tee_param), GFP_KERNEL);
···
799
798
get_user(num_params, &uarg->num_params))
800
799
return -EFAULT;
801
800
802
-
if (sizeof(*uarg) + TEE_IOCTL_PARAM_SIZE(num_params) > buf.buf_len)
801
+
if (size_add(sizeof(*uarg), TEE_IOCTL_PARAM_SIZE(num_params)) > buf.buf_len)
803
802
return -EINVAL;
804
803
805
804
params = kcalloc(num_params, sizeof(struct tee_param), GFP_KERNEL);