Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 56e6c59c authored by Zhen Kong's avatar Zhen Kong Committed by Matt Wagantall
Browse files

qseecom: Check if SG list PA is under 32bit when updating buf 



Client uses qseecom_send_modified_cmd() to populate request buffer
with 32bit physical address for SG list, and we need to check if SG
list PA is beyond 32bit address for both 32bit and 64bit app. This
is because if it is beyond 32bit address, then when obtaining the
low half 32bit address from the full 64bit PA and sending it to
TZ.4.0, this address is not valid and will cause memory corruption.

Change-Id: I53d101c5b4a95d3d8b5c1f98a1b44b07e1ece5a1
Signed-off-by: default avatarZhen Kong <zkong@codeaurora.org>
parent 5d73c047

drivers/misc/qseecom.c

+9 −30
Original line number Diff line number Diff line
@@ -2390,18 +2390,17 @@ static int __qseecom_update_cmd_buf(void *msg, bool cleanup, 
			if (__boundary_checks_offset(req, lstnr_resp, data, i))

				goto err;

			if ((data->type == QSEECOM_CLIENT_APP &&

				data->client.app_arch == ELFCLASS32) ||

				(data->client.app_arch == ELFCLASS32 ||

				data->client.app_arch == ELFCLASS64)) ||

				(data->type == QSEECOM_LISTENER_SERVICE)) {

				/*

				 * 32bit app is using 32bit address, and

				 * check if 32bit app's sg phy addr

				 * region is under 4GB

				 * Check if sg list phy add region is under 4GB

				 */

				if ((qseecom.qsee_version >= QSEE_VERSION_40) &&

					(!cleanup) &&

					((uint64_t)sg_dma_address(sg_ptr->sgl)

					>= PHY_ADDR_4G - sg->length)) {

					pr_err("32bit app %s sgl PA exceeds 4G: phy_addr=%pad, len=%x\n",

					pr_err("App %s sgl PA exceeds 4G: phy_addr=%pad, len=%x\n",

						data->client.app_name,

						&(sg_dma_address(sg_ptr->sgl)),

						sg->length);
@@ -2410,12 +2409,6 @@ static int __qseecom_update_cmd_buf(void *msg, bool cleanup, 
				update = (uint32_t *) field;

				*update = cleanup ? 0 :

					(uint32_t)sg_dma_address(sg_ptr->sgl);

			} else if (data->type == QSEECOM_CLIENT_APP &&

				data->client.app_arch == ELFCLASS64) {

				/* 64bit app is still using 32bit address */

				update = (uint32_t *) field;

				*update = cleanup ? 0 :

					(uint32_t)sg_dma_address(sg_ptr->sgl);

			} else {

				pr_err("QSEE app arch %u is not supported\n",

							data->client.app_arch);
@@ -2451,21 +2444,20 @@ static int __qseecom_update_cmd_buf(void *msg, bool cleanup, 
				}

			}

			if ((data->type == QSEECOM_CLIENT_APP &&

				data->client.app_arch == ELFCLASS32) ||

				(data->client.app_arch == ELFCLASS32 ||

				data->client.app_arch == ELFCLASS64)) ||

				(data->type == QSEECOM_LISTENER_SERVICE)) {

				update = (struct qseecom_sg_entry *)field;

				for (j = 0; j < sg_ptr->nents; j++) {

					/*

					 * 32bit app is using 32bit address, and

					 * check if 32bit app's sg phy addr

					 * region is under 4GB

					* Check if sg list PA is under 4GB

					*/

					if ((qseecom.qsee_version >=

						QSEE_VERSION_40) &&

						(!cleanup) &&

						((uint64_t)(sg_dma_address(sg))

						>= PHY_ADDR_4G - sg->length)) {

						pr_err("32bit app %s sgl PA exceeds 4G: phy_addr=%pad, len=%x\n",

						pr_err("App %s sgl PA exceeds 4G: phy_addr=%pad, len=%x\n",

							data->client.app_name,

							&(sg_dma_address(sg)),

							sg->length);
@@ -2478,19 +2470,6 @@ static int __qseecom_update_cmd_buf(void *msg, bool cleanup, 
					len += sg->length;

					sg = sg_next(sg);

				}

			} else if (data->type == QSEECOM_CLIENT_APP &&

				data->client.app_arch == ELFCLASS64) {

				/* 64bit app is still using 32bit address */

				update = (struct qseecom_sg_entry *)field;

				for (j = 0; j < sg_ptr->nents; j++) {

					update->phys_addr = cleanup ? 0 :

						(uint32_t)sg_dma_address(sg);

					update->len = cleanup ? 0 :

								sg->length;

					update++;

					len += sg->length;

					sg = sg_next(sg);

				}

			} else {

				pr_err("QSEE app arch %u is not supported\n",

							data->client.app_arch);