From c10f03f191307f7114af89933f2d91b830150094 Mon Sep 17 00:00:00 2001 From: Hariprasad Dhalinarasimha Date: Fri, 27 Sep 2013 18:38:53 -0700 Subject: qseecom: Copy userspace buffer into kernel space before dereferencing ION memory is used for user space to kernel space data passing. This is directly accessible in kernel. But, if the IOCTL is called from user space without using User space library, then data might be pointing to some other memory location, in which case, it would not be possible to dereference this location in kernel & hence it would be accessing invalid memory. Change-Id: Ic50c76ee8b2a696dbb786fce3a68cdc782e15268 Signed-off-by: Hariprasad Dhalinarasimha --- drivers/misc/qseecom.c | 25 ++++++++++++++++++++++++- 1 file changed, 24 insertions(+), 1 deletion(-) diff --git a/drivers/misc/qseecom.c b/drivers/misc/qseecom.c index 4c1943b..1c93bf4 100644 --- a/drivers/misc/qseecom.c +++ b/drivers/misc/qseecom.c @@ -1006,14 +1006,37 @@ int __qseecom_process_rpmb_svc_cmd(struct qseecom_dev_handle *data_ptr, struct qseecom_client_send_service_ireq *send_svc_ireq_ptr) { int ret = 0; + void *req_buf = NULL; + if ((req_ptr == NULL) || (send_svc_ireq_ptr == NULL)) { pr_err("Error with pointer: req_ptr = %p, send_svc_ptr = %p\n", req_ptr, send_svc_ireq_ptr); return -EINVAL; } + + if (((uint32_t)req_ptr->cmd_req_buf < + data_ptr->client.user_virt_sb_base) + || ((uint32_t)req_ptr->cmd_req_buf >= + (data_ptr->client.user_virt_sb_base + + data_ptr->client.sb_length))) { + pr_err("cmd buffer address not within shared bufffer\n"); + return -EINVAL; + } + + + if (((uint32_t)req_ptr->resp_buf < data_ptr->client.user_virt_sb_base) + || ((uint32_t)req_ptr->resp_buf >= + (data_ptr->client.user_virt_sb_base + + data_ptr->client.sb_length))){ + pr_err("response buffer address not within shared bufffer\n"); + return -EINVAL; + } + + req_buf = data_ptr->client.sb_virt; + send_svc_ireq_ptr->qsee_cmd_id = req_ptr->cmd_id; send_svc_ireq_ptr->key_type = - ((struct qseecom_rpmb_provision_key *)req_ptr->cmd_req_buf)->key_type; + ((struct qseecom_rpmb_provision_key *)req_buf)->key_type; send_svc_ireq_ptr->req_len = req_ptr->cmd_req_len; send_svc_ireq_ptr->rsp_ptr = (void *)(__qseecom_uvirt_to_kphys(data_ptr, (uint32_t)req_ptr->resp_buf)); -- cgit v1.1