DivestOS/Patches/Linux_CVEs-New/CVE-2014-9891/ANY/0.patch
2017-10-29 14:23:02 -04:00

65 lines
2.3 KiB
Diff

From c10f03f191307f7114af89933f2d91b830150094 Mon Sep 17 00:00:00 2001
From: Hariprasad Dhalinarasimha <hnamgund@codeaurora.org>
Date: Fri, 27 Sep 2013 18:38:53 -0700
Subject: qseecom: Copy userspace buffer into kernel space before dereferencing
ION memory is used for user space to kernel space data passing.
This is directly accessible in kernel. But, if the IOCTL is called
from user space without using User space library, then data might
be pointing to some other memory location, in which case, it would
not be possible to dereference this location in kernel & hence it
would be accessing invalid memory.
Change-Id: Ic50c76ee8b2a696dbb786fce3a68cdc782e15268
Signed-off-by: Hariprasad Dhalinarasimha <hnamgund@codeaurora.org>
---
drivers/misc/qseecom.c | 25 ++++++++++++++++++++++++-
1 file changed, 24 insertions(+), 1 deletion(-)
diff --git a/drivers/misc/qseecom.c b/drivers/misc/qseecom.c
index 4c1943b..1c93bf4 100644
--- a/drivers/misc/qseecom.c
+++ b/drivers/misc/qseecom.c
@@ -1006,14 +1006,37 @@ int __qseecom_process_rpmb_svc_cmd(struct qseecom_dev_handle *data_ptr,
struct qseecom_client_send_service_ireq *send_svc_ireq_ptr)
{
int ret = 0;
+ void *req_buf = NULL;
+
if ((req_ptr == NULL) || (send_svc_ireq_ptr == NULL)) {
pr_err("Error with pointer: req_ptr = %p, send_svc_ptr = %p\n",
req_ptr, send_svc_ireq_ptr);
return -EINVAL;
}
+
+ if (((uint32_t)req_ptr->cmd_req_buf <
+ data_ptr->client.user_virt_sb_base)
+ || ((uint32_t)req_ptr->cmd_req_buf >=
+ (data_ptr->client.user_virt_sb_base +
+ data_ptr->client.sb_length))) {
+ pr_err("cmd buffer address not within shared bufffer\n");
+ return -EINVAL;
+ }
+
+
+ if (((uint32_t)req_ptr->resp_buf < data_ptr->client.user_virt_sb_base)
+ || ((uint32_t)req_ptr->resp_buf >=
+ (data_ptr->client.user_virt_sb_base +
+ data_ptr->client.sb_length))){
+ pr_err("response buffer address not within shared bufffer\n");
+ return -EINVAL;
+ }
+
+ req_buf = data_ptr->client.sb_virt;
+
send_svc_ireq_ptr->qsee_cmd_id = req_ptr->cmd_id;
send_svc_ireq_ptr->key_type =
- ((struct qseecom_rpmb_provision_key *)req_ptr->cmd_req_buf)->key_type;
+ ((struct qseecom_rpmb_provision_key *)req_buf)->key_type;
send_svc_ireq_ptr->req_len = req_ptr->cmd_req_len;
send_svc_ireq_ptr->rsp_ptr = (void *)(__qseecom_uvirt_to_kphys(data_ptr,
(uint32_t)req_ptr->resp_buf));
--
cgit v1.1