qseecom: Copy userspace buffer into kernel space before dereferencing (c10f03f1) · Commits · e / devices / android_kernel_sony_msm8994

drivers/misc/qseecom.c

+24 −1

Original line number	Diff line number	Diff line
		@@ -1006,14 +1006,37 @@ int __qseecom_process_rpmb_svc_cmd(struct qseecom_dev_handle *data_ptr,
		struct qseecom_client_send_service_ireq *send_svc_ireq_ptr)
		{
		int ret = 0;
		void *req_buf = NULL;

		if ((req_ptr == NULL) \|\| (send_svc_ireq_ptr == NULL)) {
		pr_err("Error with pointer: req_ptr = %p, send_svc_ptr = %p\n",
		req_ptr, send_svc_ireq_ptr);
		return -EINVAL;
		}

		if (((uint32_t)req_ptr->cmd_req_buf <
		data_ptr->client.user_virt_sb_base)
		\|\| ((uint32_t)req_ptr->cmd_req_buf >=
		(data_ptr->client.user_virt_sb_base +
		data_ptr->client.sb_length))) {
		pr_err("cmd buffer address not within shared bufffer\n");
		return -EINVAL;
		}


		if (((uint32_t)req_ptr->resp_buf < data_ptr->client.user_virt_sb_base)
		\|\| ((uint32_t)req_ptr->resp_buf >=
		(data_ptr->client.user_virt_sb_base +
		data_ptr->client.sb_length))){
		pr_err("response buffer address not within shared bufffer\n");
		return -EINVAL;
		}

		req_buf = data_ptr->client.sb_virt;

		send_svc_ireq_ptr->qsee_cmd_id = req_ptr->cmd_id;
		send_svc_ireq_ptr->key_type =
		((struct qseecom_rpmb_provision_key *)req_ptr->cmd_req_buf)->key_type;
		((struct qseecom_rpmb_provision_key *)req_buf)->key_type;
		send_svc_ireq_ptr->req_len = req_ptr->cmd_req_len;
		send_svc_ireq_ptr->rsp_ptr = (void *)(__qseecom_uvirt_to_kphys(data_ptr,
		(uint32_t)req_ptr->resp_buf));