Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 6963e7f0 authored by Zhen Kong's avatar Zhen Kong Committed by Gerrit - the friendly Code Review server
Browse files

qseecom: check img_len and mdt_len against ion buf len 



Variable "load_img_req.img_len" and "load_img_req.mdt_len" are
from user land, so check their values against ion buf length
to avoid buffer overread on QSEE side.

Change-Id: I9e8bfe32d3b0cd5b441ad724543c56467fa5e4da
Signed-off-by: default avatarZhen Kong <zkong@codeaurora.org>
parent 454f9e7e

drivers/misc/qseecom.c

+13 −1
Original line number Diff line number Diff line
@@ -2321,7 +2321,13 @@ static int qseecom_load_app(struct qseecom_dev_handle *data, void __user *argp) 
				ret);

			goto loadapp_err;

		}



		if (load_img_req.mdt_len > len || load_img_req.img_len > len) {

			pr_err("ion len %zu is smaller than mdt_len %u or img_len %u\n",

					len, load_img_req.mdt_len,

					load_img_req.img_len);

			ret = -EINVAL;

			goto loadapp_err;

		}

		/* Populate the structure for sending scm call to load image */

		if (qseecom.qsee_version < QSEE_VERSION_40) {

			load_req.qsee_cmd_id = QSEOS_APP_START_COMMAND;
@@ -5103,6 +5109,12 @@ static int qseecom_load_external_elf(struct qseecom_dev_handle *data, 
			ret);

		return ret;

	}

	if (load_img_req.mdt_len > len || load_img_req.img_len > len) {

		pr_err("ion len %zu is smaller than mdt_len %u or img_len %u\n",

				len, load_img_req.mdt_len,

				load_img_req.img_len);

		return ret;

	}

	/* Populate the structure for sending scm call to load image */

	if (qseecom.qsee_version < QSEE_VERSION_40) {

		load_req.qsee_cmd_id = QSEOS_LOAD_EXTERNAL_ELF_COMMAND;