DivestOS/Patches/Linux_CVEs/CVE-2014-9787/0.patch

From 528400ae4cba715f6c9ff4a2657dafd913f30b8b Mon Sep 17 00:00:00 2001
From: Hariprasad Dhalinarasimha <hnamgund@codeaurora.org>
Date: Thu, 3 Oct 2013 16:43:39 -0700
Subject: qseecom: Validate the incoming length from user space

Check if there is no integer overflow before using req_len and
resp_len (received from user space). If an overflow is detected
then exit the operation.

Change-Id: I0459a6992bb3b280db42be63a275c55fa6105b1c
Signed-off-by: Hariprasad Dhalinarasimha <hnamgund@codeaurora.org>
---
 drivers/misc/qseecom.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/drivers/misc/qseecom.c b/drivers/misc/qseecom.c
index 58703cf..1452908 100644
--- a/drivers/misc/qseecom.c
+++ b/drivers/misc/qseecom.c
@@ -961,6 +961,11 @@ static int __qseecom_send_cmd(struct qseecom_dev_handle *data,
 		return -EINVAL;
 	}
 
+	if (req->cmd_req_len > UINT_MAX - req->resp_len) {
+		pr_err("Integer overflow detected in req_len & rsp_len, exiting now\n");
+		return -EINVAL;
+	}
+
 	reqd_len_sb_in = req->cmd_req_len + req->resp_len;
 	if (reqd_len_sb_in > data->client.sb_length) {
 		pr_debug("Not enough memory to fit cmd_buf and "
@@ -980,7 +985,7 @@ static int __qseecom_send_cmd(struct qseecom_dev_handle *data,
 
 	msm_ion_do_cache_op(qseecom.ion_clnt, data->client.ihandle,
 					data->client.sb_virt,
-					(req->cmd_req_len + req->resp_len),
+					reqd_len_sb_in,
 					ION_IOC_CLEAN_INV_CACHES);
 
 	ret = scm_call(SCM_SVC_TZSCHEDULER, 1, (const void *) &send_data_req,
-- 
cgit v1.1
Add patches for many Linux CVEs, and overhaul script paths 2017-10-29 01:48:53 -04:00			`From 528400ae4cba715f6c9ff4a2657dafd913f30b8b Mon Sep 17 00:00:00 2001`
			`From: Hariprasad Dhalinarasimha <hnamgund@codeaurora.org>`
			`Date: Thu, 3 Oct 2013 16:43:39 -0700`
			`Subject: qseecom: Validate the incoming length from user space`

			`Check if there is no integer overflow before using req_len and`
			`resp_len (received from user space). If an overflow is detected`
			`then exit the operation.`

			`Change-Id: I0459a6992bb3b280db42be63a275c55fa6105b1c`
			`Signed-off-by: Hariprasad Dhalinarasimha <hnamgund@codeaurora.org>`
			`---`
			`drivers/misc/qseecom.c \| 7 ++++++-`
			`1 file changed, 6 insertions(+), 1 deletion(-)`

			`diff --git a/drivers/misc/qseecom.c b/drivers/misc/qseecom.c`
			`index 58703cf..1452908 100644`
			`--- a/drivers/misc/qseecom.c`
			`+++ b/drivers/misc/qseecom.c`
			`@@ -961,6 +961,11 @@ static int __qseecom_send_cmd(struct qseecom_dev_handle *data,`
			`return -EINVAL;`
			`}`

			`+ if (req->cmd_req_len > UINT_MAX - req->resp_len) {`
			`+ pr_err("Integer overflow detected in req_len & rsp_len, exiting now\n");`
			`+ return -EINVAL;`
			`+ }`
			`+`
			`reqd_len_sb_in = req->cmd_req_len + req->resp_len;`
			`if (reqd_len_sb_in > data->client.sb_length) {`
			`pr_debug("Not enough memory to fit cmd_buf and "`
			`@@ -980,7 +985,7 @@ static int __qseecom_send_cmd(struct qseecom_dev_handle *data,`

			`msm_ion_do_cache_op(qseecom.ion_clnt, data->client.ihandle,`
			`data->client.sb_virt,`
			`- (req->cmd_req_len + req->resp_len),`
			`+ reqd_len_sb_in,`
			`ION_IOC_CLEAN_INV_CACHES);`

			`ret = scm_call(SCM_SVC_TZSCHEDULER, 1, (const void *) &send_data_req,`
			`--`
			`cgit v1.1`