DivestOS/Patches/Linux_CVEs/CVE-2016-6752/ANY/0.patch

110 lines
4.3 KiB
Diff
Raw Normal View History

From 0de2c7600c8f1f0152a2f421c6593f931186400a Mon Sep 17 00:00:00 2001
From: Mallikarjuna Reddy Amireddy <mamire@codeaurora.org>
Date: Mon, 25 Jul 2016 18:14:39 +0530
Subject: qseecom: Change format specifier %p to %pK
Format specifier %p can leak kernel addresses while not valuing the
kptr_restrict system settings. When kptr_restrict is set to (1), kernel
pointers printed using the %pK format specifier will be replaced with 0's.
So that %pK will not leak kernel pointers to unprivileged users.
So change the format specifier from %p to %pK.
Debugging Note : &pK prints only Zeros as address. if you need actual
address information, pls echo 0 to kptr_restrict.
$ echo 0 > /proc/sys/kernel/kptr_restrict
Change-Id: I0baf2be2d5a476e2e4267f20b99d0ddf5492469e
Signed-off-by: Mallikarjuna Reddy Amireddy <mamire@codeaurora.org>
---
drivers/misc/qseecom.c | 18 +++++++++---------
1 file changed, 9 insertions(+), 9 deletions(-)
diff --git a/drivers/misc/qseecom.c b/drivers/misc/qseecom.c
index 52034c7..4fab447 100644
--- a/drivers/misc/qseecom.c
+++ b/drivers/misc/qseecom.c
@@ -1133,7 +1133,7 @@ static int qseecom_set_client_mem_param(struct qseecom_dev_handle *data,
if ((req.ifd_data_fd <= 0) || (req.virt_sb_base == NULL) ||
(req.sb_len == 0)) {
- pr_err("Inavlid input(s)ion_fd(%d), sb_len(%d), vaddr(0x%p)\n",
+ pr_err("Inavlid input(s)ion_fd(%d), sb_len(%d), vaddr(0x%pK)\n",
req.ifd_data_fd, req.sb_len, req.virt_sb_base);
return -EFAULT;
}
@@ -1653,7 +1653,7 @@ int __qseecom_process_rpmb_svc_cmd(struct qseecom_dev_handle *data_ptr,
void *req_buf = NULL;
if ((req_ptr == NULL) || (send_svc_ireq_ptr == NULL)) {
- pr_err("Error with pointer: req_ptr = %p, send_svc_ptr = %p\n",
+ pr_err("Error with pointer: req_ptr = %pK, send_svc_ptr = %pK\n",
req_ptr, send_svc_ireq_ptr);
return -EINVAL;
}
@@ -1700,7 +1700,7 @@ int __qseecom_process_fsm_key_svc_cmd(struct qseecom_dev_handle *data_ptr,
uint32_t reqd_len_sb_in = 0;
if ((req_ptr == NULL) || (send_svc_ireq_ptr == NULL)) {
- pr_err("Error with pointer: req_ptr = %p, send_svc_ptr = %p\n",
+ pr_err("Error with pointer: req_ptr = %pK, send_svc_ptr = %pK\n",
req_ptr, send_svc_ireq_ptr);
return -EINVAL;
}
@@ -3025,7 +3025,7 @@ int qseecom_send_command(struct qseecom_handle *handle, void *send_buf,
if (ret)
return ret;
- pr_debug("sending cmd_req->rsp size: %u, ptr: 0x%p\n",
+ pr_debug("sending cmd_req->rsp size: %u, ptr: 0x%pK\n",
req.resp_len, req.resp_buf);
return ret;
}
@@ -4844,7 +4844,7 @@ long qseecom_ioctl(struct file *file, unsigned cmd, unsigned long arg)
ret = -EINVAL;
break;
}
- pr_debug("SET_MEM_PARAM: qseecom addr = 0x%p\n", data);
+ pr_debug("SET_MEM_PARAM: qseecom addr = 0x%pK\n", data);
ret = qseecom_set_client_mem_param(data, argp);
if (ret)
pr_err("failed Qqseecom_set_mem_param request: %d\n",
@@ -4860,7 +4860,7 @@ long qseecom_ioctl(struct file *file, unsigned cmd, unsigned long arg)
break;
}
data->type = QSEECOM_CLIENT_APP;
- pr_debug("LOAD_APP_REQ: qseecom_addr = 0x%p\n", data);
+ pr_debug("LOAD_APP_REQ: qseecom_addr = 0x%pK\n", data);
mutex_lock(&app_access_lock);
atomic_inc(&data->ioctl_count);
if (qseecom.qsee_version > QSEEE_VERSION_00) {
@@ -4886,7 +4886,7 @@ long qseecom_ioctl(struct file *file, unsigned cmd, unsigned long arg)
ret = -EINVAL;
break;
}
- pr_debug("UNLOAD_APP: qseecom_addr = 0x%p\n", data);
+ pr_debug("UNLOAD_APP: qseecom_addr = 0x%pK\n", data);
mutex_lock(&app_access_lock);
atomic_inc(&data->ioctl_count);
ret = qseecom_unload_app(data, false);
@@ -5017,7 +5017,7 @@ long qseecom_ioctl(struct file *file, unsigned cmd, unsigned long arg)
data->type = QSEECOM_CLIENT_APP;
mutex_lock(&app_access_lock);
atomic_inc(&data->ioctl_count);
- pr_debug("APP_LOAD_QUERY: qseecom_addr = 0x%p\n", data);
+ pr_debug("APP_LOAD_QUERY: qseecom_addr = 0x%pK\n", data);
ret = qseecom_query_app_loaded(data, argp);
atomic_dec(&data->ioctl_count);
mutex_unlock(&app_access_lock);
@@ -5288,7 +5288,7 @@ static int qseecom_release(struct inode *inode, struct file *file)
int ret = 0;
if (data->released == false) {
- pr_debug("data: released=false, type=%d, mode=%d, data=0x%p\n",
+ pr_debug("data: released=false, type=%d, mode=%d, data=0x%pK\n",
data->type, data->mode, data);
switch (data->type) {
case QSEECOM_LISTENER_SERVICE:
--
cgit v1.1