Hi Jens,
On Thu, Sep 18, 2025 at 9:25 PM Jens Wiklander jens.wiklander@linaro.org wrote:
Hi Masami,
[+Sumit in CC]
On Wed, Sep 17, 2025 at 10:58:11PM +0900, Masami Ichikawa wrote: [snip]
I wrote a test program and ran it on both 6.17-rc5 and 6.14. I was able to reproduce the crash on both kernels.
I uploaded test code and test results to my gist. https://gist.github.com/masami256/11e21a7503812af7ee1e890080093a2c
The test code is crash_test.c. This program takes 2 arguments. First argument is malicious buffer size and second one is actual buffer size. I can reproduce the crash with the following pair.
malicious buffer size: 0xffffff actual buffer size: 0xff
Thanks, that easily reproduces the problem. The following diff should fix it: --- a/drivers/tee/tee_shm.c +++ b/drivers/tee/tee_shm.c @@ -318,7 +318,16 @@ register_shm_helper(struct tee_context *ctx, struct iov_iter *iter, u32 flags,
len = iov_iter_extract_pages(iter, &shm->pages, LONG_MAX, num_pages, 0, &off);
if (unlikely(len <= 0)) {
if (unlikely(len < num_pages * PAGE_SIZE)) {if (len > 0) {/** If we only got a few pages, update to release* the correct amount below.*/shm->num_pages = len / PAGE_SIZE;ret = ERR_PTR(-ENOMEM);goto err_put_shm_pages;} ret = len ? ERR_PTR(len) : ERR_PTR(-ENOMEM); goto err_free_shm_pages; }Cheers, Jens
Thank you for the fix. I tested both 6.17-rc5 and 6.14. I confirmed your patch solves the problem.
Tested-by: Masami Ichikawa masami256@gmail.com
Regards, -- Masami Ichikawa