[PATCH openEuler-1.0-LTS 0/2] CVE-2022-50080 - Kernel - mailweb.openeuler.org

newer
[PATCH 1/8] Revert "arm64:...

[PATCH openEuler-1.0-LTS 0/2] CVE-2022-50080

older
[PATCH OLK-6.6] vhost-scsi:...

Yuntao Liu

26 Jun 2025 26 Jun '25

10:10 a.m.

CVE-2022-50080 Jens Wiklander (2): tee: add overflow check in register_shm_helper() tee: fix compiler warning in tee_shm_register() drivers/tee/tee_core.c | 4 ++++ drivers/tee/tee_shm.c | 1 + 2 files changed, 5 insertions(+) -- 2.34.1

Reply

Sign in to reply online Use email software

Show replies by date

Yuntao Liu

26 Jun 26 Jun

10:10 a.m.

New subject: [PATCH openEuler-1.0-LTS 1/2] tee: add overflow check in register_shm_helper()

From: Jens Wiklander <jens.wiklander@linaro.org> stable inclusion from stable-v4.19.256 commit b37e0f17653c00b586cdbcdf0dbca475358ecffd category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/ICG798 CVE: CVE-2022-50080 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=... -------------------------------- commit 573ae4f13f630d6660008f1974c0a8a29c30e18a upstream. With special lengths supplied by user space, register_shm_helper() has an integer overflow when calculating the number of pages covered by a supplied user space memory region. This causes internal_get_user_pages_fast() a helper function of pin_user_pages_fast() to do a NULL pointer dereference: Unable to handle kernel NULL pointer dereference at virtual address 0000000000000010 Modules linked in: CPU: 1 PID: 173 Comm: optee_example_a Not tainted 5.19.0 #11 Hardware name: QEMU QEMU Virtual Machine, BIOS 0.0.0 02/06/2015 pc : internal_get_user_pages_fast+0x474/0xa80 Call trace: internal_get_user_pages_fast+0x474/0xa80 pin_user_pages_fast+0x24/0x4c register_shm_helper+0x194/0x330 tee_shm_register_user_buf+0x78/0x120 tee_ioctl+0xd0/0x11a0 __arm64_sys_ioctl+0xa8/0xec invoke_syscall+0x48/0x114 Fix this by adding an an explicit call to access_ok() in tee_shm_register_user_buf() to catch an invalid user space address early. Fixes: 033ddf12bcf5 ("tee: add register user memory") Cc: stable@vger.kernel.org Reported-by: Nimish Mishra <neelam.nimish@gmail.com> Reported-by: Anirban Chakraborty <ch.anirban00727@gmail.com> Reported-by: Debdeep Mukhopadhyay <debdeep.mukhopadhyay@gmail.com> Suggested-by: Jerome Forissier <jerome.forissier@linaro.org> Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> [JW: backport to stable-4.19 + update commit message] Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Yuntao Liu <liuyuntao12@huawei.com> --- drivers/tee/tee_core.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/drivers/tee/tee_core.c b/drivers/tee/tee_core.c index 0d252f151584..69be7f764bf9 100644 --- a/drivers/tee/tee_core.c +++ b/drivers/tee/tee_core.c @@ -172,6 +172,10 @@ tee_ioctl_shm_register(struct tee_context *ctx, if (data.flags) return -EINVAL; + if (!access_ok(VERIFY_WRITE, (void __user *)(unsigned long)data.addr, + data.length)) + return -EFAULT; + shm = tee_shm_register(ctx, data.addr, data.length, TEE_SHM_DMA_BUF | TEE_SHM_USER_MAPPED); if (IS_ERR(shm)) -- 2.34.1

Reply

Sign in to reply online Use email software

Yuntao Liu

10:10 a.m.

New subject: [PATCH openEuler-1.0-LTS 2/2] tee: fix compiler warning in tee_shm_register()

From: Jens Wiklander <jens.wiklander@linaro.org> mainline inclusion from mainline-v6.0-rc5 commit eccd7439709810127563e7e3e49b8b44c7b2791d category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/ICG798 CVE: CVE-2022-50080 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?i... -------------------------------- Include <linux/uaccess.h> to avoid the warning: drivers/tee/tee_shm.c: In function 'tee_shm_register':

...
drivers/tee/tee_shm.c:242:14: error: implicit declaration of function 'access_ok' [-Werror=implicit-function-declaration] 242 | if (!access_ok((void __user *)addr, length)) | ^~~~~~~~~ cc1: some warnings being treated as errors

Fixes: 573ae4f13f63 ("tee: add overflow check in register_shm_helper()") Reviewed-by: Sumit Garg <sumit.garg@linaro.org> Reported-by: kernel test robot <lkp@intel.com> Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org> Conflicts: drivers/tee/tee_shm.c [adjust context] Signed-off-by: Yuntao Liu <liuyuntao12@huawei.com> --- drivers/tee/tee_shm.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/tee/tee_shm.c b/drivers/tee/tee_shm.c index c591e7ba4435..e4c150346a42 100644 --- a/drivers/tee/tee_shm.c +++ b/drivers/tee/tee_shm.c @@ -18,6 +18,7 @@ #include <linux/sched.h> #include <linux/slab.h> #include <linux/tee_drv.h> +#include <linux/uaccess.h> #include "tee_private.h" static void tee_shm_release(struct tee_device *teedev, struct tee_shm *shm) -- 2.34.1

Reply

Sign in to reply online Use email software

patchwork bot

10:26 a.m.

反馈：您发送到kernel@openeuler.org的补丁/补丁集，已成功转换为PR！ PR链接地址： https://gitee.com/openeuler/kernel/pulls/16808 邮件列表地址：https://mailweb.openeuler.org/archives/list/kernel@openeuler.org/message/3OK... FeedBack: The patch(es) which you have sent to kernel@openeuler.org mailing list has been converted to a pull request successfully! Pull request link: https://gitee.com/openeuler/kernel/pulls/16808 Mailing list address: https://mailweb.openeuler.org/archives/list/kernel@openeuler.org/message/3OK...

Reply

Sign in to reply online Use email software

1

Age (days ago)

1

Last active (days ago)

3 comments

2 participants

tags

participants (2)

patchwork bot
Yuntao Liu