Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 4b6a269a authored by Brahmaji K's avatar Brahmaji K Committed by TARKZiM
Browse files

qseecom: Fix accessing userspace memory in kernel space 



Use put_user API to write the data from kernel space to
userspace to avoid accessing userspace memory directly
in kernel space.

Change-Id: I649fe2597e80ccad50cf16b355e220734810e94c
Signed-off-by: default avatarBrahmaji K <bkomma@codeaurora.org>
parent 393e8634

drivers/misc/qseecom.c

+12 −2
Original line number Diff line number Diff line
@@ -4780,11 +4780,21 @@ static int __qseecom_qteec_issue_cmd(struct qseecom_dev_handle *data, 
	int ret = 0;

	uint32_t reqd_len_sb_in = 0;

	struct sglist_info *table = data->sglistinfo_ptr;

	void *req_ptr = NULL;

	void *resp_ptr = NULL;



	ret  = __qseecom_qteec_validate_msg(data, req);

	if (ret)

		return ret;



	req_ptr = req->req_ptr;

	resp_ptr = req->resp_ptr;



	req->req_ptr = (void *)__qseecom_uvirt_to_kvirt(data,

						(uintptr_t)req_ptr);

	req->resp_ptr = (void *)__qseecom_uvirt_to_kvirt(data,

						(uintptr_t)resp_ptr);



	if ((cmd_id == QSEOS_TEE_OPEN_SESSION) ||

			(cmd_id == QSEOS_TEE_REQUEST_CANCELLATION)) {

		ret = __qseecom_update_qteec_req_buf(
@@ -4800,10 +4810,10 @@ static int __qseecom_qteec_issue_cmd(struct qseecom_dev_handle *data, 
		ireq.qsee_cmd_id = cmd_id;

	ireq.app_id = data->client.app_id;

	ireq.req_ptr = (uint32_t)__qseecom_uvirt_to_kphys(data,

						(uintptr_t)req->req_ptr);

						(uintptr_t)req_ptr);

	ireq.req_len = req->req_len;

	ireq.resp_ptr = (uint32_t)__qseecom_uvirt_to_kphys(data,

						(uintptr_t)req->resp_ptr);

						(uintptr_t)resp_ptr);

	ireq.resp_len = req->resp_len;

	ireq.sglistinfo_ptr = (uint32_t)virt_to_phys(table);

	ireq.sglistinfo_len = SGLISTINFO_TABLE_SIZE;