commit | 8800b01d9f13a104b1c042de0c2106dedac38547 | [log] [tgz] |
---|---|---|
author | Jerome Forissier <jerome@forissier.org> | Fri Nov 08 17:55:24 2019 +0100 |
committer | Jérôme Forissier <jerome@forissier.org> | Wed Nov 13 14:27:05 2019 +0100 |
tree | dc47ec0810f64d03cd4579066a8510daacbbab8c | |
parent | e4632aa27c799b486dd5fb0021ddfc68954a9587 [diff] |
gprof: fix TEE core crash by allocating sample buffer dynamically The gprof sample buffer is in user space memory but is also accessed by the TEE core. Currently, space is reserved by the TA linker script. The address and size of the buffer is passed to the TEE core via a call to the gprof PTA. After this call, the TEE core accesses the buffer periodically, such as when the TA is interrupted by a timer interrupt. Commit ef305e54eac8 ("libutee: allocate temp secmem for invoke") modified the way that private TA memory is mapped in TA to TA invocations, so that memory is mapped only for the duration of the call. After this point, the memory is unmapped so the gprof sample buffer becomes inaccessible, resulting in a crash: E/TC:0 0 Core data-abort at address 0x121356 (translation fault) E/TC:0 0 fsr 0x00000007 ttbr0 0x0e19206a ttbr1 0x0e18806a cidr 0x2 E/TC:0 0 cpu #0 cpsr 0x800001f2 E/TC:0 0 r0 0x00000000 r4 0x00000000 r8 0x00000000 r12 0x0017bb4b E/TC:0 0 r1 0x000021ab r5 0x00000000 r9 0x00000000 sp 0x0e1928f0 E/TC:0 0 r2 0x0011d000 r6 0x00000000 r10 0x00000000 lr 0x0e112763 E/TC:0 0 r3 0x00121356 r7 0x0e1928f0 r11 0x00000000 pc 0x0e12958e E/TC:0 0 Core data-abort at address 0x121356 .debug_info+1184598 (translation fault) E/TC:0 0 Call stack: E/TC:0 0 0x0e12958e tee_ta_gprof_sample_pc at optee_os/core/kernel/tee_ta_manager.c:897 The solution is to allocate and map the sample buffer explicitly in user space when profiling is initialized, and at the same time get rid of the reserved area in the TA linker script. The TEE core also needs to check that the sample buffer is valid before writing to it, otherwise a malicious TA could crash the core by unmapping that memory. Signed-off-by: Jerome Forissier <jerome@forissier.org> Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org> Acked-by: Sumit Garg <sumit.garg@linaro.org>
This git contains source code for the secure side implementation of OP-TEE project.
All official OP-TEE documentation has moved to http://optee.readthedocs.io.
// OP-TEE core maintainers