On Thu, Sep 18, 2025 at 02:25:41PM +0200, Jens Wiklander wrote:
Hi Masami,
[+Sumit in CC]
On Wed, Sep 17, 2025 at 10:58:11PM +0900, Masami Ichikawa wrote: [snip]
I wrote a test program and ran it on both 6.17-rc5 and 6.14. I was able to reproduce the crash on both kernels.
I uploaded test code and test results to my gist. https://gist.github.com/masami256/11e21a7503812af7ee1e890080093a2c
The test code is crash_test.c. This program takes 2 arguments. First argument is malicious buffer size and second one is actual buffer size. I can reproduce the crash with the following pair.
malicious buffer size: 0xffffff actual buffer size: 0xff
Thanks Masami for the report and the bug reproducer here.
Thanks, that easily reproduces the problem. The following diff should fix it: --- a/drivers/tee/tee_shm.c +++ b/drivers/tee/tee_shm.c @@ -318,7 +318,16 @@ register_shm_helper(struct tee_context *ctx, struct iov_iter *iter, u32 flags, len = iov_iter_extract_pages(iter, &shm->pages, LONG_MAX, num_pages, 0, &off);
- if (unlikely(len <= 0)) {
- if (unlikely(len < num_pages * PAGE_SIZE)) {
if (len > 0) {/** If we only got a few pages, update to release* the correct amount below.*/shm->num_pages = len / PAGE_SIZE;ret = ERR_PTR(-ENOMEM);goto err_put_shm_pages;}
Thanks Jens for the fix, it sounds appropriate to me. I think this commit [1] introduced the bug in the first place as earlier check for pin_user_pages_fast() would have caught this issue without crashing the kernel.
Jens, can you please send a proper fix here? I hope we should be able to get it merged for v6.17 since it sounds critical to me.
[1] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?i...
-Sumit