Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 05efafc9 authored by Brahmaji K's avatar Brahmaji K
Browse files

msm-3.18: drivers : added validation of input/output buffer sizes 



This change fixes issues reagrding the ioctl
QSEECOM_IOCTL_MDTP_CIPHER_DIP_REQ uncovered by fuzzy tests.
Modified handler of above ioctl, not to allow input/output
buffer sizes greater than a fixed defined size.

Change-Id: I69f94a29d939341564f6f3ebfda48fceaa934542
Signed-off-by: default avatarBrahmaji K <bkomma@codeaurora.org>
parent 6bee3417

drivers/misc/qseecom.c

+5 −1
Original line number Original line Diff line number Diff line
@@ -80,6 +80,9 @@ 
/* Encrypt/Decrypt Data Integrity Partition (DIP) for MDTP */

/* Encrypt/Decrypt Data Integrity Partition (DIP) for MDTP */

#define SCM_MDTP_CIPHER_DIP		0x01

#define SCM_MDTP_CIPHER_DIP		0x01





/* Maximum Allowed Size (128K) of Data Integrity Partition (DIP) for MDTP */

#define MAX_DIP			0x20000



#define RPMB_SERVICE			0x2000

#define RPMB_SERVICE			0x2000

#define SSD_SERVICE			0x3000

#define SSD_SERVICE			0x3000
@@ -6029,7 +6032,8 @@ static int qseecom_mdtp_cipher_dip(void __user *argp) 
		}

		}





		if (req.in_buf == NULL || req.out_buf == NULL ||

		if (req.in_buf == NULL || req.out_buf == NULL ||

			req.in_buf_size == 0 || req.out_buf_size == 0 ||

			req.in_buf_size == 0 || req.in_buf_size > MAX_DIP ||

			req.out_buf_size == 0 || req.out_buf_size > MAX_DIP ||

				req.direction > 1) {

				req.direction > 1) {

				pr_err("invalid parameters\n");

				pr_err("invalid parameters\n");

				ret = -EINVAL;

				ret = -EINVAL;