DivestOS/Patches/Linux_CVEs/CVE-2016-5349/ANY/0002.patch

From 03853a58952834ac3e1e3007c9c680dd4c001a2f Mon Sep 17 00:00:00 2001
From: Zhen Kong <zkong@codeaurora.org>
Date: Thu, 1 Sep 2016 10:20:50 -0700
Subject: qseecom: allocate sglistinfo buffer for kernel clients

To support whitelist feature, sglistinfo table should also
be allocated from qseecom kernel APIs used by kernel client.
Besides, initialize sg in __qseecom_update_cmd_buf_64 to
address a static analysis warning.

Change-Id: I1f1967fd9e95444cca728f09e3e8f4914b2abb95
Signed-off-by: Zhen Kong <zkong@codeaurora.org>
---
 drivers/misc/qseecom.c | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/drivers/misc/qseecom.c b/drivers/misc/qseecom.c
index aa7c8ad..59545f4 100644
--- a/drivers/misc/qseecom.c
+++ b/drivers/misc/qseecom.c
@@ -3845,12 +3845,21 @@ int qseecom_start_app(struct qseecom_handle **handle,
 	data->client.user_virt_sb_base = 0;
 	data->client.ihandle = NULL;
 
+	/* Allocate sglistinfo buffer for kernel client */
+	data->sglistinfo_ptr = kzalloc(SGLISTINFO_TABLE_SIZE, GFP_KERNEL);
+	if (!(data->sglistinfo_ptr)) {
+		kfree(data);
+		kfree(*handle);
+		*handle = NULL;
+		return -ENOMEM;
+	}
 	init_waitqueue_head(&data->abort_wq);
 
 	data->client.ihandle = ion_alloc(qseecom.ion_clnt, size, 4096,
 				ION_HEAP(ION_QSECOM_HEAP_ID), 0);
 	if (IS_ERR_OR_NULL(data->client.ihandle)) {
 		pr_err("Ion client could not retrieve the handle\n");
+		kfree(data->sglistinfo_ptr);
 		kfree(data);
 		kfree(*handle);
 		*handle = NULL;
@@ -3948,6 +3957,7 @@ int qseecom_start_app(struct qseecom_handle **handle,
 	return 0;
 
 err:
+	kfree(data->sglistinfo_ptr);
 	kfree(data);
 	kfree(*handle);
 	*handle = NULL;
@@ -3989,6 +3999,7 @@ int qseecom_shutdown_app(struct qseecom_handle **handle)
 
 	mutex_unlock(&app_access_lock);
 	if (ret == 0) {
+		kzfree(data->sglistinfo_ptr);
 		kzfree(data);
 		kzfree(*handle);
 		kzfree(kclient);
-- 
cgit v1.1
Add patches for many Linux CVEs, and overhaul script paths 2017-10-29 01:48:53 -04:00			`From 03853a58952834ac3e1e3007c9c680dd4c001a2f Mon Sep 17 00:00:00 2001`
			`From: Zhen Kong <zkong@codeaurora.org>`
			`Date: Thu, 1 Sep 2016 10:20:50 -0700`
			`Subject: qseecom: allocate sglistinfo buffer for kernel clients`

			`To support whitelist feature, sglistinfo table should also`
			`be allocated from qseecom kernel APIs used by kernel client.`
			`Besides, initialize sg in __qseecom_update_cmd_buf_64 to`
			`address a static analysis warning.`

			`Change-Id: I1f1967fd9e95444cca728f09e3e8f4914b2abb95`
			`Signed-off-by: Zhen Kong <zkong@codeaurora.org>`
			`---`
			`drivers/misc/qseecom.c \| 11 +++++++++++`
			`1 file changed, 11 insertions(+)`

			`diff --git a/drivers/misc/qseecom.c b/drivers/misc/qseecom.c`
			`index aa7c8ad..59545f4 100644`
			`--- a/drivers/misc/qseecom.c`
			`+++ b/drivers/misc/qseecom.c`
			`@@ -3845,12 +3845,21 @@ int qseecom_start_app(struct qseecom_handle **handle,`
			`data->client.user_virt_sb_base = 0;`
			`data->client.ihandle = NULL;`

			`+ /* Allocate sglistinfo buffer for kernel client */`
			`+ data->sglistinfo_ptr = kzalloc(SGLISTINFO_TABLE_SIZE, GFP_KERNEL);`
			`+ if (!(data->sglistinfo_ptr)) {`
			`+ kfree(data);`
			`+ kfree(*handle);`
			`+ *handle = NULL;`
			`+ return -ENOMEM;`
			`+ }`
			`init_waitqueue_head(&data->abort_wq);`

			`data->client.ihandle = ion_alloc(qseecom.ion_clnt, size, 4096,`
			`ION_HEAP(ION_QSECOM_HEAP_ID), 0);`
			`if (IS_ERR_OR_NULL(data->client.ihandle)) {`
			`pr_err("Ion client could not retrieve the handle\n");`
			`+ kfree(data->sglistinfo_ptr);`
			`kfree(data);`
			`kfree(*handle);`
			`*handle = NULL;`
			`@@ -3948,6 +3957,7 @@ int qseecom_start_app(struct qseecom_handle **handle,`
			`return 0;`

			`err:`
			`+ kfree(data->sglistinfo_ptr);`
			`kfree(data);`
			`kfree(*handle);`
			`*handle = NULL;`
			`@@ -3989,6 +3999,7 @@ int qseecom_shutdown_app(struct qseecom_handle **handle)`

			`mutex_unlock(&app_access_lock);`
			`if (ret == 0) {`
			`+ kzfree(data->sglistinfo_ptr);`
			`kzfree(data);`
			`kzfree(*handle);`
			`kzfree(kclient);`
			`--`
			`cgit v1.1`