mirror of
https://github.com/Divested-Mobile/DivestOS-Build.git
synced 2024-10-01 01:35:54 -04:00
44 lines
1.5 KiB
Diff
44 lines
1.5 KiB
Diff
From 528400ae4cba715f6c9ff4a2657dafd913f30b8b Mon Sep 17 00:00:00 2001
|
|
From: Hariprasad Dhalinarasimha <hnamgund@codeaurora.org>
|
|
Date: Thu, 3 Oct 2013 16:43:39 -0700
|
|
Subject: qseecom: Validate the incoming length from user space
|
|
|
|
Check if there is no integer overflow before using req_len and
|
|
resp_len (received from user space). If an overflow is detected
|
|
then exit the operation.
|
|
|
|
Change-Id: I0459a6992bb3b280db42be63a275c55fa6105b1c
|
|
Signed-off-by: Hariprasad Dhalinarasimha <hnamgund@codeaurora.org>
|
|
---
|
|
drivers/misc/qseecom.c | 7 ++++++-
|
|
1 file changed, 6 insertions(+), 1 deletion(-)
|
|
|
|
diff --git a/drivers/misc/qseecom.c b/drivers/misc/qseecom.c
|
|
index 58703cf..1452908 100644
|
|
--- a/drivers/misc/qseecom.c
|
|
+++ b/drivers/misc/qseecom.c
|
|
@@ -961,6 +961,11 @@ static int __qseecom_send_cmd(struct qseecom_dev_handle *data,
|
|
return -EINVAL;
|
|
}
|
|
|
|
+ if (req->cmd_req_len > UINT_MAX - req->resp_len) {
|
|
+ pr_err("Integer overflow detected in req_len & rsp_len, exiting now\n");
|
|
+ return -EINVAL;
|
|
+ }
|
|
+
|
|
reqd_len_sb_in = req->cmd_req_len + req->resp_len;
|
|
if (reqd_len_sb_in > data->client.sb_length) {
|
|
pr_debug("Not enough memory to fit cmd_buf and "
|
|
@@ -980,7 +985,7 @@ static int __qseecom_send_cmd(struct qseecom_dev_handle *data,
|
|
|
|
msm_ion_do_cache_op(qseecom.ion_clnt, data->client.ihandle,
|
|
data->client.sb_virt,
|
|
- (req->cmd_req_len + req->resp_len),
|
|
+ reqd_len_sb_in,
|
|
ION_IOC_CLEAN_INV_CACHES);
|
|
|
|
ret = scm_call(SCM_SVC_TZSCHEDULER, 1, (const void *) &send_data_req,
|
|
--
|
|
cgit v1.1
|
|
|