Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit e9dba93d authored by Se Wang (Patrick) Oh's avatar Se Wang (Patrick) Oh
Browse files

qseecom: Fix unprotected userspace access 



After enabling KASan, unprotected userspace access causes
a PTE translation fault as it can cover only kernel memory
region. To fix this, we should use the correct API to access
user space memory region.

Change-Id: I1eba7d738d00e40b411c2a63dcf41417cfd7dd0f
Signed-off-by: default avatarSe Wang (Patrick) Oh <sewango@codeaurora.org>
parent 66f4f85a

drivers/misc/compat_qseecom.c

+15 −15
Original line number Diff line number Diff line
@@ -35,7 +35,7 @@ static int compat_get_qseecom_register_listener_req( 


	err |= get_user(virt_sb_base, &data32->virt_sb_base);

	/* upper bits won't get set, zero them */

	data->virt_sb_base = NULL;

	err |= put_user(NULL, &data->virt_sb_base);

	err |= put_user(virt_sb_base, (compat_uptr_t *)&data->virt_sb_base);



	err |= get_user(sb_size, &data32->sb_size);
@@ -80,13 +80,13 @@ static int compat_get_qseecom_send_cmd_req( 
	compat_uint_t resp_len;



	err = get_user(cmd_req_buf, &data32->cmd_req_buf);

	data->cmd_req_buf = NULL;

	err |= put_user(NULL, &data->cmd_req_buf);

	err |= put_user(cmd_req_buf, (compat_uptr_t *)&data->cmd_req_buf);

	err |= get_user(cmd_req_len, &data32->cmd_req_len);

	err |= put_user(cmd_req_len, &data->cmd_req_len);



	err |= get_user(resp_buf, &data32->resp_buf);

	data->resp_buf = NULL;

	err |= put_user(NULL, &data->resp_buf);

	err |= put_user(resp_buf, (compat_uptr_t *)&data->resp_buf);

	err |= get_user(resp_len, &data32->resp_len);

	err |= put_user(resp_len, &data->resp_len);
@@ -107,12 +107,12 @@ static int compat_get_qseecom_send_modfd_cmd_req( 
	compat_ulong_t cmd_buf_offset;



	err = get_user(cmd_req_buf, &data32->cmd_req_buf);

	data->cmd_req_buf = NULL;

	err |= put_user(NULL, &data->cmd_req_buf);

	err |= put_user(cmd_req_buf, (compat_uptr_t *)&data->cmd_req_buf);

	err |= get_user(cmd_req_len, &data32->cmd_req_len);

	err |= put_user(cmd_req_len, &data->cmd_req_len);

	err |= get_user(resp_buf, &data32->resp_buf);

	data->resp_buf = NULL;

	err |= put_user(NULL, &data->resp_buf);

	err |= put_user(resp_buf, (compat_uptr_t *)&data->resp_buf);

	err |= get_user(resp_len, &data32->resp_len);

	err |= put_user(resp_len, &data->resp_len);
@@ -139,7 +139,7 @@ static int compat_get_qseecom_set_sb_mem_param_req( 
	err = get_user(ifd_data_fd, &data32->ifd_data_fd);

	err |= put_user(ifd_data_fd, &data->ifd_data_fd);

	err |= get_user(virt_sb_base, &data32->virt_sb_base);

	data->virt_sb_base = NULL;

	err |= put_user(NULL, &data->virt_sb_base);

	err |= put_user(virt_sb_base, (compat_uptr_t *)&data->virt_sb_base);

	err |= get_user(sb_len, &data32->sb_len);

	err |= put_user(sb_len, &data->sb_len);
@@ -193,12 +193,12 @@ static int compat_get_qseecom_send_svc_cmd_req( 
	err = get_user(cmd_id, &data32->cmd_id);

	err |= put_user(cmd_id, &data->cmd_id);

	err |= get_user(cmd_req_buf, &data32->cmd_req_buf);

	data->cmd_req_buf = NULL;

	err |= put_user(NULL, &data->cmd_req_buf);

	err |= put_user(cmd_req_buf, (compat_uptr_t *)&data->cmd_req_buf);

	err |= get_user(cmd_req_len, &data32->cmd_req_len);

	err |= put_user(cmd_req_len, &data->cmd_req_len);

	err |= get_user(resp_buf, &data32->resp_buf);

	data->resp_buf = NULL;

	err |= put_user(NULL, &data->resp_buf);

	err |= put_user(resp_buf, (compat_uptr_t *)&data->resp_buf);

	err |= get_user(resp_len, &data32->resp_len);

	err |= put_user(resp_len, &data->resp_len);
@@ -296,10 +296,10 @@ static int compat_get_qseecom_mdtp_cipher_dip_req( 
	err |= get_user(direction, &data32->direction);

	err |= put_user(direction, &data->direction);

	err |= get_user(in_buf, &data32->in_buf);

	data->in_buf = NULL;

	err |= put_user(NULL, &data->in_buf);

	err |= put_user(in_buf, (compat_uptr_t *)&data->in_buf);

	err |= get_user(out_buf, &data32->out_buf);

	data->out_buf = NULL;

	err |= put_user(NULL, &data->out_buf);

	err |= put_user(out_buf, (compat_uptr_t *)&data->out_buf);



	return err;
@@ -317,7 +317,7 @@ static int compat_get_qseecom_send_modfd_listener_resp( 
	compat_ulong_t cmd_buf_offset;



	err = get_user(resp_buf_ptr, &data32->resp_buf_ptr);

	data->resp_buf_ptr = NULL;

	err |= put_user(NULL, &data->resp_buf_ptr);

	err |= put_user(resp_buf_ptr, (compat_uptr_t *)&data->resp_buf_ptr);

	err |= get_user(resp_len, &data32->resp_len);

	err |= put_user(resp_len, &data->resp_len);
@@ -345,13 +345,13 @@ static int compat_get_qseecom_qteec_req( 
	int err;



	err = get_user(req_ptr, &data32->req_ptr);

	data->req_ptr = NULL;

	err |= put_user(NULL, &data->req_ptr);

	err |= put_user(req_ptr, (compat_uptr_t *)&data->req_ptr);

	err |= get_user(req_len, &data32->req_len);

	err |= put_user(req_len, &data->req_len);



	err |= get_user(resp_ptr, &data32->resp_ptr);

	data->resp_ptr = NULL;

	err |= put_user(NULL, &data->resp_ptr);

	err |= put_user(resp_ptr, (compat_uptr_t *)&data->resp_ptr);

	err |= get_user(resp_len, &data32->resp_len);

	err |= put_user(resp_len, &data->resp_len);
@@ -371,13 +371,13 @@ static int compat_get_qseecom_qteec_modfd_req( 
	int err, i;



	err = get_user(req_ptr, &data32->req_ptr);

	data->req_ptr = NULL;

	err |= put_user(NULL, &data->req_ptr);

	err |= put_user(req_ptr, (compat_uptr_t *)&data->req_ptr);

	err |= get_user(req_len, &data32->req_len);

	err |= put_user(req_len, &data->req_len);



	err |= get_user(resp_ptr, &data32->resp_ptr);

	data->resp_ptr = NULL;

	err |= put_user(NULL, &data->resp_ptr);

	err |= put_user(resp_ptr, (compat_uptr_t *)&data->resp_ptr);

	err |= get_user(resp_len, &data32->resp_len);

	err |= put_user(resp_len, &data->resp_len);