tee: Prevent size calculation wraparound on 32-bit kernels - kernel

diff options

author	Jann Horn <[email protected]>	2025-04-28 13:06:43 +0000
committer	Jens Wiklander <[email protected]>	2025-04-30 12:57:03 +0000
commit	39bb67edcc582b3b386a9ec983da67fa8a10ec03 (patch)
tree	39adeb70868ae40467e5266129da951cfd51541b /scripts/gcc-plugins/randomize_layout_plugin.c
parent	tee: optee: smc: remove unnecessary NULL check before release_firmware() (diff)
download	kernel-39bb67edcc582b3b386a9ec983da67fa8a10ec03.tar.gz kernel-39bb67edcc582b3b386a9ec983da67fa8a10ec03.zip

tee: Prevent size calculation wraparound on 32-bit kernels

The current code around TEE_IOCTL_PARAM_SIZE() is a bit wrong on 32-bit kernels: Multiplying a user-provided 32-bit value with the size of a structure can wrap around on such platforms. Fix it by using saturating arithmetic for the size calculation. This has no security consequences because, in all users of TEE_IOCTL_PARAM_SIZE(), the subsequent kcalloc() implicitly checks for wrapping. Signed-off-by: Jann Horn <[email protected]> Signed-off-by: Jens Wiklander <[email protected]> Tested-by: Rouven Czerwinski <[email protected]>

Diffstat (limited to 'scripts/gcc-plugins/randomize_layout_plugin.c')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: