Potential Heap Buffer overflow in tee_supp_com.c

[Machiry]

At https://github.com/OP-TEE/optee_linuxdriver/blob/master/core/tee_supp_com.c#L215, commFromUser.nbr_bf is completely user controlled and it could be greater than TEE_RPC_BUFFER_NUMBER, this potentially leads to for loop reading and writing to heap over bounds.

[jenswi-linaro]

Hi,

We don't use this driver any more, https://github.com/OP-TEE/optee_linuxdriver#2016-04-17-driver-has-been-deprecated

You're very welcome to review the new driver (which we're trying to upstream) at https://github.com/linaro-swg/linux/tree/optee/drivers/tee or even better when I post the next version of the patch set later this week.

[Machiry]

Sure, but it seems kinda dangerous to have this code hanging. I hope your set of patches fixes these. I know people who are using this :(.

[jockebech]

@Machiry, thanks for reporting. If you can send patches solving the issue on the deprecated driver which at the same time doesn't cause any regressions on OP-TEE 2.0.0, then I'm willing to merge your fix. If it's not possible to make a compatible fix, then we eventually could create forked a "legacy-branch" intended for bug-fixes on pre OP-TEE 2.0.0. But, this won't be something that we actively nor officially support, simply because we don't have the bandwidth to deal with that also.