qseecom: correct range check in __qseecom_update_cmd_buf_64
Make change to validate if there exists enough space to write a unit64 instead of a unit32 value, in __qseecom_update_cmd_buf_64. Change-Id: Iabf61dea240f16108e1765585aae3a12d2d651c9 Signed-off-by: jitendra thakare <jitendrathakare@codeaurora.org>
This commit is contained in:
parent
0b55aac049
commit
28f945bd7a
|
@ -1,6 +1,6 @@
|
|||
/*Qualcomm Secure Execution Environment Communicator (QSEECOM) driver
|
||||
*
|
||||
* Copyright (c) 2012-2017, The Linux Foundation. All rights reserved.
|
||||
* Copyright (c) 2012-2017, 2019 The Linux Foundation. All rights reserved.
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or modify
|
||||
* it under the terms of the GNU General Public License version 2 and
|
||||
|
@ -3042,6 +3042,33 @@ int __boundary_checks_offset(struct qseecom_send_modfd_cmd_req *req,
|
|||
return 0;
|
||||
}
|
||||
|
||||
static int __boundary_checks_offset_64(struct qseecom_send_modfd_cmd_req *req,
|
||||
struct qseecom_send_modfd_listener_resp *lstnr_resp,
|
||||
struct qseecom_dev_handle *data, int i)
|
||||
{
|
||||
|
||||
if ((data->type != QSEECOM_LISTENER_SERVICE) &&
|
||||
(req->ifd_data[i].fd > 0)) {
|
||||
if ((req->cmd_req_len < sizeof(uint64_t)) ||
|
||||
(req->ifd_data[i].cmd_buf_offset >
|
||||
req->cmd_req_len - sizeof(uint64_t))) {
|
||||
pr_err("Invalid offset (req len) 0x%x\n",
|
||||
req->ifd_data[i].cmd_buf_offset);
|
||||
return -EINVAL;
|
||||
}
|
||||
} else if ((data->type == QSEECOM_LISTENER_SERVICE) &&
|
||||
(lstnr_resp->ifd_data[i].fd > 0)) {
|
||||
if ((lstnr_resp->resp_len < sizeof(uint64_t)) ||
|
||||
(lstnr_resp->ifd_data[i].cmd_buf_offset >
|
||||
lstnr_resp->resp_len - sizeof(uint64_t))) {
|
||||
pr_err("Invalid offset (lstnr resp len) 0x%x\n",
|
||||
lstnr_resp->ifd_data[i].cmd_buf_offset);
|
||||
return -EINVAL;
|
||||
}
|
||||
}
|
||||
return 0;
|
||||
}
|
||||
|
||||
static int __qseecom_update_cmd_buf(void *msg, bool cleanup,
|
||||
struct qseecom_dev_handle *data)
|
||||
{
|
||||
|
@ -3399,7 +3426,8 @@ static int __qseecom_update_cmd_buf_64(void *msg, bool cleanup,
|
|||
sg = sg_ptr->sgl;
|
||||
if (sg_ptr->nents == 1) {
|
||||
uint64_t *update_64bit;
|
||||
if (__boundary_checks_offset(req, lstnr_resp, data, i))
|
||||
if (__boundary_checks_offset_64(req, lstnr_resp,
|
||||
data, i))
|
||||
goto err;
|
||||
/* 64bit app uses 64bit address */
|
||||
update_64bit = (uint64_t *) field;
|
||||
|
|
Loading…
Reference in New Issue