qseecom: check invalid handle for app loaded query request

Check if the handle data_type received from userspace is valid for app loaded query request to avoid the offset boundary check for qseecom_send_modfd_resp is bypassed. Change-Id: I5f3611a8f830d6904213781c5ba70cfc0ba3e2e0 Signed-off-by: Zhen Kong <zkong@codeaurora.org>
2019-08-27 14:02:35 -07:00 · 2019-08-27 14:02:35 -07:00 · 266819e84c
parent 44fdb4e1df
commit 266819e84c
1 changed files with 7 additions and 0 deletions
--- a/drivers/misc/qseecom.c
+++ b/drivers/misc/qseecom.c
@ -7014,6 +7014,13 @@ long qseecom_ioctl(struct file *file, unsigned cmd, unsigned long arg)
 		break;
 	}
 	case QSEECOM_IOCTL_APP_LOADED_QUERY_REQ: {
+		if ((data->type != QSEECOM_GENERIC) &&
+			(data->type != QSEECOM_CLIENT_APP)) {
+			pr_err("app loaded query req: invalid handle (%d)\n",
+								data->type);
+			ret = -EINVAL;
+			break;
+		}
 		data->type = QSEECOM_CLIENT_APP;
 		mutex_lock(&app_access_lock);
 		atomic_inc(&data->ioctl_count);