TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / OP-TEE / optee_os / 70b613102ce72808f6a0ad9f6f97f0545fd6ad02
commit70b613102ce72808f6a0ad9f6f97f0545fd6ad02[log] [tgz]
authorJerome Forissier <jerome.forissier@linaro.org>Tue Jan 29 17:44:51 2019 +0100
committerJérôme Forissier <jerome.forissier@linaro.org>Mon May 13 15:58:03 2019 +0200
tree6b09845bfeda2fd382548f8ec4acd69798b7598d
parent4e5706550a9624fbb6eadfc275036563a8737893 [diff]
core: scrub user-tainted kernel heap memory before freeing it

Some syscalls can be used to poison kernel heap memory. Data copied from
userland is not wiped when the syscall returns. For instance, when doing
syscall_log() one can copy arbitrary data of variable length onto kernel
memory. When free() is called, the block is returned to the memory pool,
tainted with that userland data. This might be used in combination with
some other vulnerability to produce an exploit.

This patch uses free_wipe() to clear the buffers that have been used to
store user-provided data before returning them to the heap.

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reported-by: Bastien Simondi <bsimondi@netflix.com> [1.4]
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Joakim Bech <joakim.bech@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
2 files changed
tree: 6b09845bfeda2fd382548f8ec4acd69798b7598d
  1. .github/
  2. core/
  3. keys/
  4. lib/
  5. mk/
  6. scripts/
  7. ta/
  8. .gitignore
  9. .shippable.yml
  10. .travis.yml
  11. CHANGELOG.md
  12. LICENSE
  13. MAINTAINERS
  14. Makefile
  15. README.md
  16. typedefs.checkpatch
README.md

OP-TEE Trusted OS

This git contains source code for the secure side implementation of OP-TEE project.

All official OP-TEE documentation has moved to http://optee.readthedocs.io.

// OP-TEE core maintainers