Potential invalid MEMREF translation, this could be used for bad. #53
Description
In https://github.com/OP-TEE/optee_linuxdriver/blob/master/core/tee_session.c#L600, param->c_shm[idx] is copied from user.
In https://github.com/OP-TEE/optee_linuxdriver/blob/master/core/tee_session.c#L628, where we call tee_shm_get:
tee_shm_get(ctx, ¶m->c_shm[idx], size, offset)
Then in function: tee_shm_get (https://github.com/OP-TEE/optee_linuxdriver/blob/master/core/tee_shm.c#L716) , Here, c_shm is copied from user (i.e param->c_shm[idx]).
Then the check in 741, i.e:
if (c_shm->flags & TEEC_MEM_KAPI) {
//Now, kc_shm is User Controlled.
struct tee_shm *kc_shm = (struct tee_shm *)c_shm->d.ptr;
if (!kc_shm) {
dev_err(_DEV(tee), "kapi fd null\n");
ret = -EINVAL;
goto err;
}
// Here shm->paddr is controlled by user.
shm->paddr = kc_shm->paddr;
This could be exploited to pass arbitrary physical address to Trustlets.