DivestOS/Patches/Linux_CVEs/CVE-2014-9894/ANY/0001.patch
2017-11-07 17:32:46 -05:00

40 lines
1.4 KiB
Diff

From 83214431cd02674c70402b160b16b7427e28737f Mon Sep 17 00:00:00 2001
From: Hariprasad Dhalinarasimha <hnamgund@codeaurora.org>
Date: Thu, 3 Oct 2013 16:52:16 -0700
Subject: qseecom: Ensure incoming "app_name" does not corrupt the kernel stack
Printing a string with that does not have null terminated character,
would lead to overflow, as the print continues until it finds a null
terminated character.
Avoid this issue by explicitly assigning a string with null termination.
Change-Id: I9528db2ba046c514d829097d08c09540588bb1a2
Signed-off-by: Hariprasad Dhalinarasimha <hnamgund@codeaurora.org>
---
drivers/misc/qseecom.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/misc/qseecom.c b/drivers/misc/qseecom.c
index 4c1943b..7ab8089 100644
--- a/drivers/misc/qseecom.c
+++ b/drivers/misc/qseecom.c
@@ -773,6 +773,7 @@ static int qseecom_load_app(struct qseecom_dev_handle *data, void __user *argp)
if (ret)
return ret;
req.qsee_cmd_id = QSEOS_APP_LOOKUP_COMMAND;
+ load_img_req.img_name[MAX_APP_NAME_SIZE-1] = '\0';
memcpy(req.app_name, load_img_req.img_name, MAX_APP_NAME_SIZE);
ret = __qseecom_check_app_exists(req);
@@ -2453,6 +2454,7 @@ static int qseecom_query_app_loaded(struct qseecom_dev_handle *data,
}
req.qsee_cmd_id = QSEOS_APP_LOOKUP_COMMAND;
+ query_req.app_name[MAX_APP_NAME_SIZE-1] = '\0';
memcpy(req.app_name, query_req.app_name, MAX_APP_NAME_SIZE);
ret = __qseecom_check_app_exists(req);
--
cgit v1.1