xtest storage: check that we can't use object_id from shared memory
According to the GP spec V1.1, the object_id in create/open/rename
functions is not allowed to reside in the shared memory.
This change checks that when a TA uses a SHM buffer to carry the
object_id parameter for create/open/rename function do rejects the
request. It is expected that the TA dies on such conditions.
Suggested-by: Zeng Tao <prime.zeng@hisilicon.com>
Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
diff --git a/ta/storage/storage.c b/ta/storage/storage.c
index 6d97597..c61d548 100644
--- a/ta/storage/storage.c
+++ b/ta/storage/storage.c
@@ -26,6 +26,7 @@
*/
#include "storage.h"
+#include "ta_storage.h"
#include <tee_api.h>
#include <trace.h>
@@ -38,12 +39,12 @@
#define VAL2HANDLE(v) (void *)(uintptr_t)(v)
-TEE_Result ta_storage_cmd_open(uint32_t param_types, TEE_Param params[4])
+TEE_Result ta_storage_cmd_open(uint32_t command,
+ uint32_t param_types, TEE_Param params[4])
{
TEE_Result res;
TEE_ObjectHandle o;
void *object_id;
- size_t object_id_size;
ASSERT_PARAM_TYPE(TEE_PARAM_TYPES
(TEE_PARAM_TYPE_MEMREF_INPUT,
@@ -51,30 +52,41 @@
TEE_PARAM_TYPE_VALUE_INPUT,
TEE_PARAM_TYPE_NONE));
- object_id_size = params[0].memref.size;
- object_id = TEE_Malloc(object_id_size, 0);
- if (!object_id)
- return TEE_ERROR_OUT_OF_MEMORY;
+ switch (command) {
+ case TA_STORAGE_CMD_OPEN:
+ object_id = TEE_Malloc(params[0].memref.size, 0);
+ if (!object_id)
+ return TEE_ERROR_OUT_OF_MEMORY;
- TEE_MemMove(object_id, params[0].memref.buffer, object_id_size);
+ TEE_MemMove(object_id, params[0].memref.buffer,
+ params[0].memref.size);
+ break;
+ case TA_STORAGE_CMD_OPEN_ID_IN_SHM:
+ object_id = params[0].memref.buffer;
+ break;
+ default:
+ return TEE_ERROR_NOT_SUPPORTED;
+ }
res = TEE_OpenPersistentObject(params[2].value.a,
- object_id, object_id_size,
+ object_id, params[0].memref.size,
params[1].value.a, &o);
params[1].value.b = (uintptr_t)o;
- TEE_Free(object_id);
+
+ if (command == TA_STORAGE_CMD_OPEN)
+ TEE_Free(object_id);
return res;
}
-TEE_Result ta_storage_cmd_create(uint32_t param_types, TEE_Param params[4])
+TEE_Result ta_storage_cmd_create(uint32_t command,
+ uint32_t param_types, TEE_Param params[4])
{
TEE_Result res;
TEE_ObjectHandle o;
void *object_id;
- size_t object_id_size;
- TEE_ObjectHandle ref;
+ TEE_ObjectHandle ref_handle;
ASSERT_PARAM_TYPE(TEE_PARAM_TYPES
(TEE_PARAM_TYPE_MEMREF_INPUT,
@@ -82,32 +94,44 @@
TEE_PARAM_TYPE_VALUE_INPUT,
TEE_PARAM_TYPE_MEMREF_INPUT));
- object_id_size = params[0].memref.size;
- object_id = TEE_Malloc(object_id_size, 0);
- if (!object_id)
- return TEE_ERROR_OUT_OF_MEMORY;
+ switch (command) {
+ case TA_STORAGE_CMD_CREATE:
+ object_id = TEE_Malloc(params[0].memref.size, 0);
+ if (!object_id)
+ return TEE_ERROR_OUT_OF_MEMORY;
- TEE_MemMove(object_id, params[0].memref.buffer, object_id_size);
- ref = (TEE_ObjectHandle)(uintptr_t)params[2].value.a;
+ TEE_MemMove(object_id, params[0].memref.buffer,
+ params[0].memref.size);
+ break;
+ case TA_STORAGE_CMD_CREATE_ID_IN_SHM:
+ object_id = params[0].memref.buffer;
+ break;
+ default:
+ return TEE_ERROR_NOT_SUPPORTED;
+ }
+
+ ref_handle = (TEE_ObjectHandle)(uintptr_t)params[2].value.a;
res = TEE_CreatePersistentObject(params[2].value.b,
- object_id, object_id_size,
- params[1].value.a, ref,
+ object_id, params[0].memref.size,
+ params[1].value.a, ref_handle,
params[3].memref.buffer,
params[3].memref.size, &o);
+ if (command == TA_STORAGE_CMD_CREATE)
+ TEE_Free(object_id);
+
params[1].value.b = (uintptr_t)o;
- TEE_Free(object_id);
return res;
}
-TEE_Result ta_storage_cmd_create_overwrite(uint32_t param_types,
+TEE_Result ta_storage_cmd_create_overwrite(uint32_t command,
+ uint32_t param_types,
TEE_Param params[4])
{
TEE_Result res;
void *object_id;
- size_t object_id_size;
ASSERT_PARAM_TYPE(TEE_PARAM_TYPES
(TEE_PARAM_TYPE_MEMREF_INPUT,
@@ -115,19 +139,29 @@
TEE_PARAM_TYPE_NONE,
TEE_PARAM_TYPE_NONE));
- object_id_size = params[0].memref.size;
- object_id = TEE_Malloc(object_id_size, 0);
- if (!object_id)
- return TEE_ERROR_OUT_OF_MEMORY;
+ switch (command) {
+ case TA_STORAGE_CMD_CREATE_OVERWRITE:
+ object_id = TEE_Malloc(params[0].memref.size, 0);
+ if (!object_id)
+ return TEE_ERROR_OUT_OF_MEMORY;
- TEE_MemMove(object_id, params[0].memref.buffer, object_id_size);
+ TEE_MemMove(object_id, params[0].memref.buffer,
+ params[0].memref.size);
+ break;
+ case TA_STORAGE_CMD_CREATEOVER_ID_IN_SHM:
+ object_id = params[0].memref.buffer;
+ break;
+ default:
+ return TEE_ERROR_NOT_SUPPORTED;
+ }
res = TEE_CreatePersistentObject(params[1].value.a,
- object_id, object_id_size,
+ object_id, params[0].memref.size,
TEE_DATA_FLAG_OVERWRITE,
NULL, NULL, 0, NULL);
- TEE_Free(object_id);
+ if (command == TA_STORAGE_CMD_CREATE_OVERWRITE)
+ TEE_Free(object_id);
return res;
}
@@ -205,11 +239,11 @@
return TEE_SUCCESS;
}
-TEE_Result ta_storage_cmd_rename(uint32_t param_types, TEE_Param params[4])
+TEE_Result ta_storage_cmd_rename(uint32_t command, uint32_t param_types,
+ TEE_Param params[4])
{
TEE_ObjectHandle o = VAL2HANDLE(params[0].value.a);
void *object_id;
- size_t object_id_size;
TEE_Result res;
ASSERT_PARAM_TYPE(TEE_PARAM_TYPES
@@ -217,14 +251,26 @@
TEE_PARAM_TYPE_MEMREF_INPUT, TEE_PARAM_TYPE_NONE,
TEE_PARAM_TYPE_NONE));
- object_id_size = params[1].memref.size;
- object_id = TEE_Malloc(object_id_size, 0);
- if (!object_id)
- return TEE_ERROR_OUT_OF_MEMORY;
+ switch (command) {
+ case TA_STORAGE_CMD_RENAME:
+ object_id = TEE_Malloc(params[1].memref.size, 0);
+ if (!object_id)
+ return TEE_ERROR_OUT_OF_MEMORY;
- TEE_MemMove(object_id, params[1].memref.buffer, object_id_size);
- res = TEE_RenamePersistentObject(o, object_id, object_id_size);
- TEE_Free(object_id);
+ TEE_MemMove(object_id, params[1].memref.buffer,
+ params[1].memref.size);
+ break;
+ case TA_STORAGE_CMD_RENAME_ID_IN_SHM:
+ object_id = params[1].memref.buffer;
+ break;
+ default:
+ return TEE_ERROR_NOT_SUPPORTED;
+ }
+
+ res = TEE_RenamePersistentObject(o, object_id, params[1].memref.size);
+
+ if (command == TA_STORAGE_CMD_RENAME)
+ TEE_Free(object_id);
return res;
}