powerpc/mm/books3s: Add new pte bit to mark pte temporarily invalid.

[mirror_ubuntu-bionic-kernel.git] / drivers / tee / tee_core.c

diff --git a/drivers/tee/tee_core.c b/drivers/tee/tee_core.c
index 58a5009eacc388b45231d747e7d142163f38e627..a548c369579773a5d19914b0f6d5e725bbc55bb7 100644 (file)
--- a/drivers/tee/tee_core.c
+++ b/drivers/tee/tee_core.c
@@ -181,6 +181,17 @@ static int params_from_user(struct tee_context *ctx, struct tee_param *params,
                        if (IS_ERR(shm))
                                return PTR_ERR(shm);
 
+                       /*
+                        * Ensure offset + size does not overflow offset
+                        * and does not overflow the size of the referred
+                        * shared memory object.
+                        */
+                       if ((ip.a + ip.b) < ip.a ||
+                           (ip.a + ip.b) > shm->size) {
+                               tee_shm_put(shm);
+                               return -EINVAL;
+                       }
+
                        params[n].u.memref.shm_offs = ip.a;
                        params[n].u.memref.size = ip.b;
                        params[n].u.memref.shm = shm;