mirror of
https://github.com/Divested-Mobile/DivestOS-Build.git
synced 2025-01-23 13:51:13 -05:00
95 lines
3.1 KiB
Diff
95 lines
3.1 KiB
Diff
|
From b9470692c228608ef0ec60747ac2732ad7ffedf0 Mon Sep 17 00:00:00 2001
|
||
|
From: Mona Hossain <mhossain@codeaurora.org>
|
||
|
Date: Thu, 9 Oct 2014 12:00:03 -0700
|
||
|
Subject: qseecom: Add boundary checks for offset within message.
|
||
|
|
||
|
Qseecom driver does not have boundary checks for offset within the
|
||
|
message. So this patch add checks to validate the offsets sent by
|
||
|
client to modify data within the command request message and it
|
||
|
should not exceed the memory allocated for that message.
|
||
|
|
||
|
Change-Id: I29bfbdc154eebb4f3f4bfbb31789562e37fa5886
|
||
|
Signed-off-by: Mona Hossain <mhossain@codeaurora.org>
|
||
|
Signed-off-by: Mallikarjuna Reddy Amireddy <mamire@codeaurora.org>
|
||
|
---
|
||
|
drivers/misc/qseecom.c | 49 +++++++++++++++++++++++++++++++++++++++++++++++++
|
||
|
1 file changed, 49 insertions(+)
|
||
|
|
||
|
diff --git a/drivers/misc/qseecom.c b/drivers/misc/qseecom.c
|
||
|
index 3a93469..b091acd 100644
|
||
|
--- a/drivers/misc/qseecom.c
|
||
|
+++ b/drivers/misc/qseecom.c
|
||
|
@@ -1525,6 +1525,30 @@ static int qseecom_send_cmd(struct qseecom_dev_handle *data, void __user *argp)
|
||
|
return ret;
|
||
|
}
|
||
|
|
||
|
+int boundary_checks_offset(struct qseecom_send_modfd_cmd_req *cmd_req,
|
||
|
+ struct qseecom_send_modfd_listener_resp *lstnr_resp,
|
||
|
+ struct qseecom_dev_handle *data, bool listener_svc,
|
||
|
+ int i) {
|
||
|
+ int ret = 0;
|
||
|
+
|
||
|
+ if ((!listener_svc) && (cmd_req->ifd_data[i].fd > 0)) {
|
||
|
+ if (cmd_req->ifd_data[i].cmd_buf_offset >
|
||
|
+ cmd_req->cmd_req_len - sizeof(uint32_t)) {
|
||
|
+ pr_err("Invalid offset 0x%x\n",
|
||
|
+ cmd_req->ifd_data[i].cmd_buf_offset);
|
||
|
+ return ++ret;
|
||
|
+ }
|
||
|
+ } else if ((listener_svc) && (lstnr_resp->ifd_data[i].fd > 0)) {
|
||
|
+ if (lstnr_resp->ifd_data[i].cmd_buf_offset >
|
||
|
+ lstnr_resp->resp_len - sizeof(uint32_t)) {
|
||
|
+ pr_err("Invalid offset 0x%x\n",
|
||
|
+ lstnr_resp->ifd_data[i].cmd_buf_offset);
|
||
|
+ return ++ret;
|
||
|
+ }
|
||
|
+ }
|
||
|
+ return ret;
|
||
|
+}
|
||
|
+
|
||
|
static int __qseecom_update_cmd_buf(void *msg, bool cleanup,
|
||
|
struct qseecom_dev_handle *data,
|
||
|
bool listener_svc)
|
||
|
@@ -1598,6 +1622,10 @@ static int __qseecom_update_cmd_buf(void *msg, bool cleanup,
|
||
|
if (sg_ptr->nents == 1) {
|
||
|
uint32_t *update;
|
||
|
update = (uint32_t *) field;
|
||
|
+
|
||
|
+ if (boundary_checks_offset(cmd_req, lstnr_resp, data,
|
||
|
+ listener_svc, i))
|
||
|
+ goto err;
|
||
|
if (cleanup)
|
||
|
*update = 0;
|
||
|
else
|
||
|
@@ -1607,6 +1635,27 @@ static int __qseecom_update_cmd_buf(void *msg, bool cleanup,
|
||
|
} else {
|
||
|
struct qseecom_sg_entry *update;
|
||
|
int j = 0;
|
||
|
+
|
||
|
+ if ((!listener_svc) && (cmd_req->ifd_data[i].fd > 0)) {
|
||
|
+ if (cmd_req->ifd_data[i].cmd_buf_offset >
|
||
|
+ cmd_req->cmd_req_len -
|
||
|
+ sizeof(struct qseecom_sg_entry)) {
|
||
|
+ pr_err("Invalid offset = 0x%x\n",
|
||
|
+ cmd_req->ifd_data[i].
|
||
|
+ cmd_buf_offset);
|
||
|
+ goto err;
|
||
|
+ }
|
||
|
+ } else if ((listener_svc) &&
|
||
|
+ (lstnr_resp->ifd_data[i].fd > 0)) {
|
||
|
+ if (lstnr_resp->ifd_data[i].cmd_buf_offset >
|
||
|
+ lstnr_resp->resp_len -
|
||
|
+ sizeof(struct qseecom_sg_entry)) {
|
||
|
+ pr_err("Invalid offset = 0x%x\n",
|
||
|
+ lstnr_resp->ifd_data[i].
|
||
|
+ cmd_buf_offset);
|
||
|
+ goto err;
|
||
|
+ }
|
||
|
+ }
|
||
|
update = (struct qseecom_sg_entry *) field;
|
||
|
for (j = 0; j < sg_ptr->nents; j++) {
|
||
|
if (cleanup) {
|
||
|
--
|
||
|
cgit v1.1
|
||
|
|