From 9f290f6e7955181262e0a32e871dd9010124c1f1 Mon Sep 17 00:00:00 2001 From: Zhen Kong Date: Mon, 20 Mar 2017 10:51:32 -0700 Subject: [PATCH] qseecom: check img_len and mdt_len against ion buf len Variable "load_img_req.img_len" and "load_img_req.mdt_len" are from user land, so check their values against ion buf length to avoid buffer overread on QSEE side. Change-Id: I9e8bfe32d3b0cd5b441ad724543c56467fa5e4da Signed-off-by: Zhen Kong --- drivers/misc/qseecom.c | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/drivers/misc/qseecom.c b/drivers/misc/qseecom.c index 78f03fc75761..9855bee67627 100644 --- a/drivers/misc/qseecom.c +++ b/drivers/misc/qseecom.c @@ -2333,7 +2333,13 @@ static int qseecom_load_app(struct qseecom_dev_handle *data, void __user *argp) ret); goto loadapp_err; } - + if (load_img_req.mdt_len > len || load_img_req.img_len > len) { + pr_err("ion len %zu is smaller than mdt_len %u or img_len %u\n", + len, load_img_req.mdt_len, + load_img_req.img_len); + ret = -EINVAL; + goto loadapp_err; + } /* Populate the structure for sending scm call to load image */ if (qseecom.qsee_version < QSEE_VERSION_40) { load_req.qsee_cmd_id = QSEOS_APP_START_COMMAND; @@ -5149,6 +5155,12 @@ static int qseecom_load_external_elf(struct qseecom_dev_handle *data, ret); return ret; } + if (load_img_req.mdt_len > len || load_img_req.img_len > len) { + pr_err("ion len %zu is smaller than mdt_len %u or img_len %u\n", + len, load_img_req.mdt_len, + load_img_req.img_len); + return ret; + } /* Populate the structure for sending scm call to load image */ if (qseecom.qsee_version < QSEE_VERSION_40) { load_req.qsee_cmd_id = QSEOS_LOAD_EXTERNAL_ELF_COMMAND;