Piteball/android_kernel_samsung_msm8226
1
0
Fork 0
mirror of https://github.com/S3NEO/android_kernel_samsung_msm8226.git synced 2024-11-07 03:47:13 +00:00
Code Issues Projects Releases Packages Wiki Activity

qseecom: check invalid handle for app loaded query request

Browse source 
Check if the handle data type received from userspace is valid
for app loaded query request to avoid the offset boundary check
for qseecom_send_modfd_resp is bypassed.

Bug: 143972932
Change-Id: I5f3611a8f830d6904213781c5ba70cfc0ba3e2e0
Signed-off-by: Zhen Kong <zkong@codeaurora.org>
CVE-2019-14041
Signed-off-by: Kevin F. Haggerty <haggertk@lineageos.org>
This commit is contained in:
Zhen Kong 2019-08-27 14:02:35 -07:00 committed by matteo0026
parent 8a3dfe4f5f
commit be3729421c
1 changed files with 7 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
drivers/misc/qseecom.c
View file

@ -4188,6 +4188,13 @@ static long qseecom_ioctl(struct file *file, unsigned cmd,
break;
}
case QSEECOM_IOCTL_APP_LOADED_QUERY_REQ: {
if ((data->type != QSEECOM_GENERIC) &&
(data->type != QSEECOM_CLIENT_APP)) {
pr_err("app loaded query req: invalid handle (%d)\n",
data->type);
ret = -EINVAL;
break;
}
data->type = QSEECOM_CLIENT_APP;
pr_debug("APP_LOAD_QUERY: qseecom_addr = 0x%x\n", (u32)data);
mutex_lock(&app_access_lock);