1From 1f8d4686cd7c42ad59c9411e1dd7ceea97f5de9d Mon Sep 17 00:00:00 2001 2From: Jens Wiklander <jens.wiklander@linaro.org> 3Date: Tue, 7 Jul 2020 17:19:50 +0200 4Subject: [PATCH 06/11] TTA_TCF: fix CmdTEEGetPropertyA*_withoutEnum() 5 6Property name must not reside in non-secure shared memory when passed as 7argument to TEE_GetPropertyAs*(). 8 9Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org> 10--- 11 .../TTA_TCF/TTA_TCF/code_files/TTA_TCF.c | 56 +++++++++++++------ 12 1 file changed, 39 insertions(+), 17 deletions(-) 13 14diff --git a/TTAs_Internal_API_1_1_1/TTA_TCF/TTA_TCF/code_files/TTA_TCF.c b/TTAs_Internal_API_1_1_1/TTA_TCF/TTA_TCF/code_files/TTA_TCF.c 15index b7c44c67fe32..8d1df25dea69 100644 16--- a/TTAs_Internal_API_1_1_1/TTA_TCF/TTA_TCF/code_files/TTA_TCF.c 17+++ b/TTAs_Internal_API_1_1_1/TTA_TCF/TTA_TCF/code_files/TTA_TCF.c 18@@ -311,7 +311,7 @@ TEE_Result CmdTEEGetPropertyAsString_withoutEnum( 19 { 20 /** VARIABLES **/ 21 TEE_PropSetHandle nPropSet; 22- char* pPropName; 23+ char pPropName[PROPERTY_NAME_MAX_SIZE]; 24 char* pOutputName; 25 26 TEE_Result cmdResult; 27@@ -330,12 +330,15 @@ TEE_Result CmdTEEGetPropertyAsString_withoutEnum( 28 /* Read the input parameter */ 29 nPropSet = (TEE_PropSetHandle)pParams[0].value.a; 30 31- pPropName = pParams[1].memref.buffer; 32- if (pPropName == NULL) 33+ if (!pParams[1].memref.buffer || 34+ pParams[1].memref.size >= sizeof(pPropName)) 35 { 36 SLogError("CmdTEEGetPropertyAsString_withoutEnum: property name Input parameter is NULL"); 37 return TRUSTED_APP_ERROR_BAD_PARAMETERS; 38 } 39+ TEE_MemMove(pPropName, pParams[1].memref.buffer, 40+ pParams[1].memref.size); 41+ pPropName[pParams[1].memref.size] = 0; 42 43 /* Read the output parameters */ 44 pOutputName = pParams[2].memref.buffer; 45@@ -359,7 +362,7 @@ TEE_Result CmdTEEGetPropertyAsBool_withoutEnum( 46 { 47 /** VARIABLES **/ 48 TEE_PropSetHandle nPropSet; 49- char* pPropName; 50+ char pPropName[PROPERTY_NAME_MAX_SIZE]; 51 char nTrue[4] = "true"; 52 char nFalse[5] = "false"; 53 bool nOutputBool; 54@@ -381,12 +384,16 @@ TEE_Result CmdTEEGetPropertyAsBool_withoutEnum( 55 /* Read the input parameter */ 56 nPropSet = (TEE_PropSetHandle)pParams[0].value.a; 57 58- pPropName = pParams[1].memref.buffer; 59 if (pPropName == NULL) 60+ if (!pParams[1].memref.buffer || 61+ pParams[1].memref.size >= sizeof(pPropName)) 62 { 63 SLogError("CmdTEEGetPropertyAsBool_withoutEnum: property name Input parameter is NULL"); 64 return TRUSTED_APP_ERROR_BAD_PARAMETERS; 65 } 66+ TEE_MemMove(pPropName, pParams[1].memref.buffer, 67+ pParams[1].memref.size); 68+ pPropName[pParams[1].memref.size] = 0; 69 70 /* if all input/output data are correct */ 71 cmdResult = TEE_GetPropertyAsBool(nPropSet, pPropName, &nOutputBool); 72@@ -412,7 +419,7 @@ TEE_Result CmdTEEGetPropertyAsInt_withoutEnum( 73 { 74 /** VARIABLES **/ 75 TEE_PropSetHandle nPropSet; 76- char* pPropName; 77+ char pPropName[PROPERTY_NAME_MAX_SIZE]; 78 char nResultString[5] = "48059"; 79 char nWrongResultString[11] = "wrong value"; 80 uint32_t nIntResult; 81@@ -435,12 +442,15 @@ TEE_Result CmdTEEGetPropertyAsInt_withoutEnum( 82 /* Read the input parameter */ 83 nPropSet = (TEE_PropSetHandle)pParams[0].value.a; 84 85- pPropName = pParams[1].memref.buffer; 86- if (pPropName == NULL) 87+ if (!pParams[1].memref.buffer || 88+ pParams[1].memref.size >= sizeof(pPropName)) 89 { 90 SLogError("CmdTEEGetPropertyAsInt_withoutEnum: property name Input parameter is NULL"); 91 return TRUSTED_APP_ERROR_BAD_PARAMETERS; 92 } 93+ TEE_MemMove(pPropName, pParams[1].memref.buffer, 94+ pParams[1].memref.size); 95+ pPropName[pParams[1].memref.size] = 0; 96 97 /* if all input/output data are correct */ 98 cmdResult = TEE_GetPropertyAsU32(nPropSet, pPropName, &nIntResult); 99@@ -466,7 +476,7 @@ TEE_Result CmdTEEGetPropertyAsBinaryBlock_withoutEnum( 100 { 101 /** VARIABLES **/ 102 TEE_PropSetHandle nPropSet; 103- char* pPropName; 104+ char pPropName[PROPERTY_NAME_MAX_SIZE]; 105 void* pOutputBinaryBlock; 106 TEE_Result cmdResult; 107 108@@ -485,12 +495,15 @@ TEE_Result CmdTEEGetPropertyAsBinaryBlock_withoutEnum( 109 /* Read the input parameter */ 110 nPropSet = (TEE_PropSetHandle)pParams[0].value.a; 111 112- pPropName = pParams[1].memref.buffer; 113- if ((pPropName == NULL)) 114+ if (!pParams[1].memref.buffer || 115+ pParams[1].memref.size >= sizeof(pPropName)) 116 { 117 SLogError("CmdTEEGetPropertyAsBinaryBlock_withoutEnum: property name Input parameter is NULL"); 118 return TRUSTED_APP_ERROR_BAD_PARAMETERS; 119 } 120+ TEE_MemMove(pPropName, pParams[1].memref.buffer, 121+ pParams[1].memref.size); 122+ pPropName[pParams[1].memref.size] = 0; 123 124 /* Read the output parameters */ 125 pOutputBinaryBlock = pParams[2].memref.buffer; 126@@ -515,7 +528,7 @@ TEE_Result CmdTEEGetPropertyAsUUID_withoutEnum( 127 { 128 /** VARIABLES **/ 129 TEE_PropSetHandle nPropSet; 130- char* pPropName; 131+ char pPropName[PROPERTY_NAME_MAX_SIZE]; 132 char nWrongResultString[10] = "wrong uuid"; 133 char nResultUUIDString[36] = "534D4152-542D-4353-4C54-2D54412D3031"; 134 char nClockSeqAndNode[8] = SMC_TA_TESTUUID_CLOCKSEQANDNODE; 135@@ -537,12 +550,15 @@ TEE_Result CmdTEEGetPropertyAsUUID_withoutEnum( 136 /* Read the input parameter */ 137 nPropSet = (TEE_PropSetHandle)pParams[0].value.a; 138 139- pPropName = pParams[1].memref.buffer; 140- if ((pPropName == NULL)) 141+ if (!pParams[1].memref.buffer || 142+ pParams[1].memref.size >= sizeof(pPropName)) 143 { 144 SLogError("CmdTEEGetPropertyAsUUID_withoutEnum: property name Input parameter is NULL"); 145 return TRUSTED_APP_ERROR_BAD_PARAMETERS; 146 } 147+ TEE_MemMove(pPropName, pParams[1].memref.buffer, 148+ pParams[1].memref.size); 149+ pPropName[pParams[1].memref.size] = 0; 150 151 /* Read the output parameters */ 152 if (pParams[2].memref.buffer == NULL) 153@@ -579,7 +595,7 @@ TEE_Result CmdTEEGetPropertyAsIdentity_withoutEnum( 154 { 155 /** VARIABLES **/ 156 TEE_PropSetHandle nPropSet; 157- char* pPropName; 158+ char pPropName[PROPERTY_NAME_MAX_SIZE]; 159 char nWrongResultString[14] = "wrong identity"; 160 char nResultIdentityString[45] = "F0000000:534D4152-542D-4353-4C54-2D54412D3031"; 161 char nClockSeqAndNode[8] = SMC_TA_TESTUUID_CLOCKSEQANDNODE; 162@@ -602,12 +618,15 @@ TEE_Result CmdTEEGetPropertyAsIdentity_withoutEnum( 163 /* Read the input parameter */ 164 nPropSet = (TEE_PropSetHandle)pParams[0].value.a; 165 166- pPropName = pParams[1].memref.buffer; 167- if ((pPropName == NULL)) 168+ if (!pParams[1].memref.buffer || 169+ pParams[1].memref.size >= sizeof(pPropName)) 170 { 171 SLogError("CmdTEEGetPropertyAsIdentity_withoutEnum: property name Input parameter is NULL"); 172 return TRUSTED_APP_ERROR_BAD_PARAMETERS; 173 } 174+ TEE_MemMove(pPropName, pParams[1].memref.buffer, 175+ pParams[1].memref.size); 176+ pPropName[pParams[1].memref.size] = 0; 177 178 /* Read the output parameters */ 179 if (pParams[2].memref.buffer == NULL) 180@@ -647,6 +666,9 @@ TEE_Result CmdTEEGetPropertyAsXXX_fromEnum( 181 TEE_PropSetHandle nPropSet; 182 char pPropName[PROPERTY_NAME_MAX_SIZE]; 183 size_t nPropNameSize = 0; 184+ TEE_MemMove(pPropName, pParams[1].memref.buffer, 185+ pParams[1].memref.size); 186+ pPropName[pParams[1].memref.size] = 0; 187 char pOutputString1[PROPERTY_OUTPUT_STRING_MAX_SIZE], pOutputString2[PROPERTY_OUTPUT_STRING_MAX_SIZE]; 188 size_t nOutputString1Length = 0; 189 size_t nOutputString2Length = 0; 190-- 1912.25.1 192 193