Git-Mirrors/DivestOS
1
0
Fork 0
mirror of https://github.com/Divested-Mobile/DivestOS-Build.git synced 2024-10-01 01:35:54 -04:00
Code Issues Packages Projects Releases Wiki Activity
2bec4f071d
DivestOS/Patches/Linux_CVEs/CVE-2014-4322/ANY/0001.patch

95 lines
3.1 KiB
Diff
Raw Normal View History

Switch to new CVE patchset
2017-11-07 17:32:46 -05:00
From b9470692c228608ef0ec60747ac2732ad7ffedf0 Mon Sep 17 00:00:00 2001
From: Mona Hossain <mhossain@codeaurora.org>
Date: Thu, 9 Oct 2014 12:00:03 -0700
Subject: qseecom: Add boundary checks for offset within message.
Qseecom driver does not have boundary checks for offset within the
message. So this patch add checks to validate the offsets sent by
client to modify data within the command request message and it
should not exceed the memory allocated for that message.
Change-Id: I29bfbdc154eebb4f3f4bfbb31789562e37fa5886
Signed-off-by: Mona Hossain <mhossain@codeaurora.org>
Signed-off-by: Mallikarjuna Reddy Amireddy <mamire@codeaurora.org>
---
drivers/misc/qseecom.c | 49 +++++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 49 insertions(+)
diff --git a/drivers/misc/qseecom.c b/drivers/misc/qseecom.c
index 3a93469..b091acd 100644
--- a/drivers/misc/qseecom.c
+++ b/drivers/misc/qseecom.c
@@ -1525,6 +1525,30 @@ static int qseecom_send_cmd(struct qseecom_dev_handle *data, void __user *argp)
return ret;
}
+int boundary_checks_offset(struct qseecom_send_modfd_cmd_req *cmd_req,
+ struct qseecom_send_modfd_listener_resp *lstnr_resp,
+ struct qseecom_dev_handle *data, bool listener_svc,
+ int i) {
+ int ret = 0;
+
+ if ((!listener_svc) && (cmd_req->ifd_data[i].fd > 0)) {
+ if (cmd_req->ifd_data[i].cmd_buf_offset >
+ cmd_req->cmd_req_len - sizeof(uint32_t)) {
+ pr_err("Invalid offset 0x%x\n",
+ cmd_req->ifd_data[i].cmd_buf_offset);
+ return ++ret;
+ }
+ } else if ((listener_svc) && (lstnr_resp->ifd_data[i].fd > 0)) {
+ if (lstnr_resp->ifd_data[i].cmd_buf_offset >
+ lstnr_resp->resp_len - sizeof(uint32_t)) {
+ pr_err("Invalid offset 0x%x\n",
+ lstnr_resp->ifd_data[i].cmd_buf_offset);
+ return ++ret;
+ }
+ }
+ return ret;
+}
+
static int __qseecom_update_cmd_buf(void *msg, bool cleanup,
struct qseecom_dev_handle *data,
bool listener_svc)
@@ -1598,6 +1622,10 @@ static int __qseecom_update_cmd_buf(void *msg, bool cleanup,
if (sg_ptr->nents == 1) {
uint32_t *update;
update = (uint32_t *) field;
+
+ if (boundary_checks_offset(cmd_req, lstnr_resp, data,
+ listener_svc, i))
+ goto err;
if (cleanup)
*update = 0;
else
@@ -1607,6 +1635,27 @@ static int __qseecom_update_cmd_buf(void *msg, bool cleanup,
} else {
struct qseecom_sg_entry *update;
int j = 0;
+
+ if ((!listener_svc) && (cmd_req->ifd_data[i].fd > 0)) {
+ if (cmd_req->ifd_data[i].cmd_buf_offset >
+ cmd_req->cmd_req_len -
+ sizeof(struct qseecom_sg_entry)) {
+ pr_err("Invalid offset = 0x%x\n",
+ cmd_req->ifd_data[i].
+ cmd_buf_offset);
+ goto err;
+ }
+ } else if ((listener_svc) &&
+ (lstnr_resp->ifd_data[i].fd > 0)) {
+ if (lstnr_resp->ifd_data[i].cmd_buf_offset >
+ lstnr_resp->resp_len -
+ sizeof(struct qseecom_sg_entry)) {
+ pr_err("Invalid offset = 0x%x\n",
+ lstnr_resp->ifd_data[i].
+ cmd_buf_offset);
+ goto err;
+ }
+ }
update = (struct qseecom_sg_entry *) field;
for (j = 0; j < sg_ptr->nents; j++) {
if (cleanup) {
--
cgit v1.1
Reference in New Issue Copy Permalink