TEE suppression plugin RPC copies full request buffer when actual output is smaller, leaking secure heap data #7644
Conversation
|
Thanks for the patch. Please provide a proper commit subject and description. |
|
Copies only the smaller of the plugin’s reported output length (outlen) and the requested length into the core/user buffers, preventing leftover heap data from leaking when the response is shorter than len |
Excellent. I'd like to see this in the git commit description. |
|
done |
|
One more thing, we also require authors to provide a Signed-off-by. Please see: https://optee.readthedocs.io/en/latest/general/contribute.html |
|
Is this the correct way to do it? |
Please run: This will set the Git |
…an requested Copies only the smaller of the plugin’s reported output length (outlen) and the requested length. This prevents leaking leftover secure-world heap data when the plugin returns fewer bytes than the caller requested. Previously, tee_invoke_supp_plugin_rpc() copied `len` bytes regardless of the actual number of bytes produced by the plugin, resulting in kernel / secure heap disclosure into the REE. Signed-off-by: Jaeyeong Lee <[email protected]>
|
done |
I don't see how kernel or secure heap is leaked. This copies from shared memory allocated by the tee-supplicant. Unless I've misunderstood it, the worst case is leaking tee-supplicant heap. |
| *outlen = params[2].u.value.b; | ||
|
|
||
| if (len && outlen && *outlen) { | ||
| size_t resp_len = *outlen; |
There was a problem hiding this comment.
size_t resp_len = MIN(*outlen, len);
|
This pull request has been marked as a stale pull request because it has been open (more than) 30 days with no activity. Remove the stale label or add a comment, otherwise this pull request will automatically be closed in 5 days. Note, that you can always re-open a closed issue at any time. |
3 participants
fix bug