Google Git
Sign in
coral / optee-os-mtk / 8800b01d9f13a104b1c042de0c2106dedac38547
commit8800b01d9f13a104b1c042de0c2106dedac38547[log] [tgz]
authorJerome Forissier <jerome@forissier.org>Fri Nov 08 17:55:24 2019 +0100
committerJérôme Forissier <jerome@forissier.org>Wed Nov 13 14:27:05 2019 +0100
treedc47ec0810f64d03cd4579066a8510daacbbab8c
parente4632aa27c799b486dd5fb0021ddfc68954a9587 [diff]
gprof: fix TEE core crash by allocating sample buffer dynamically

The gprof sample buffer is in user space memory but is also accessed by
the TEE core. Currently, space is reserved by the TA linker script. The
address and size of the buffer is passed to the TEE core via a call to
the gprof PTA. After this call, the TEE core accesses the buffer
periodically, such as when the TA is interrupted by a timer interrupt.

Commit ef305e54eac8 ("libutee: allocate temp secmem for invoke")
modified the way that private TA memory is mapped in TA to TA
invocations, so that memory is mapped only for the duration of the
call. After this point, the memory is unmapped so the gprof sample
buffer becomes inaccessible, resulting in a crash:

 E/TC:0 0 Core data-abort at address 0x121356 (translation fault)
 E/TC:0 0  fsr 0x00000007  ttbr0 0x0e19206a  ttbr1 0x0e18806a  cidr 0x2
 E/TC:0 0  cpu #0          cpsr 0x800001f2
 E/TC:0 0  r0 0x00000000      r4 0x00000000    r8 0x00000000   r12 0x0017bb4b
 E/TC:0 0  r1 0x000021ab      r5 0x00000000    r9 0x00000000    sp 0x0e1928f0
 E/TC:0 0  r2 0x0011d000      r6 0x00000000   r10 0x00000000    lr 0x0e112763
 E/TC:0 0  r3 0x00121356      r7 0x0e1928f0   r11 0x00000000    pc 0x0e12958e
 E/TC:0 0 Core data-abort at address 0x121356 .debug_info+1184598 (translation fault)
 E/TC:0 0 Call stack:
 E/TC:0 0  0x0e12958e tee_ta_gprof_sample_pc at optee_os/core/kernel/tee_ta_manager.c:897

The solution is to allocate and map the sample buffer explicitly in
user space when profiling is initialized, and at the same time get rid
of the reserved area in the TA linker script. The TEE core also needs
to check that the sample buffer is valid before writing to it,
otherwise a malicious TA could crash the core by unmapping that memory.

Signed-off-by: Jerome Forissier <jerome@forissier.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Sumit Garg <sumit.garg@linaro.org>
4 files changed
tree: dc47ec0810f64d03cd4579066a8510daacbbab8c
  1. .github/
  2. core/
  3. keys/
  4. ldelf/
  5. lib/
  6. mk/
  7. scripts/
  8. ta/
  9. .gitignore
  10. .shippable.yml
  11. .travis.yml
  12. CHANGELOG.md
  13. LICENSE
  14. MAINTAINERS
  15. Makefile
  16. README.md
  17. typedefs.checkpatch
README.md

OP-TEE Trusted OS

This git contains source code for the secure side implementation of OP-TEE project.

All official OP-TEE documentation has moved to http://optee.readthedocs.io.

// OP-TEE core maintainers