qseecom: Fix accessing userspace memory in kernel space · ed85b5e79f - evie/android_kernel_oneplus_msm8998 - Gay Catgirls Forgejo: gay catgirls having sex

evie/android_kernel_oneplus_msm8998

qseecom: Fix accessing userspace memory in kernel space

Use put_user API to write the data from kernel space to
userspace to avoid accessing userspace memory directly
in kernel space.

Change-Id: I649fe2597e80ccad50cf16b355e220734810e94c
Signed-off-by: Brahmaji K <bkomma@codeaurora.org>

This commit is contained in:

Brahmaji K

2017-06-01 17:20:10 +05:30

• committed by

Gerrit - the friendly Code Review server

parent c1a2472056

commit ed85b5e79f

1 changed files with 19 additions and 5 deletions

									
										24

drivers/misc/qseecom.c
									
										View file
										
				@ -2908,7 +2908,11 @@ static int qseecom_send_service_cmd(struct qseecom_dev_handle *data,

						}

						if (req.cmd_id == QSEOS_RPMB_CHECK_PROV_STATUS_COMMAND) {

							pr_warn("RPMB key status is 0x%x\n", resp.result);

							*(uint32_t *)req.resp_buf = resp.result;

							if (put_user(resp.result,

								(uint32_t __user *)req.resp_buf)) {

								ret = -EINVAL;

								goto exit;

							}

							ret = 0;

						}

						break;

				@ -6498,11 +6502,16 @@ static int __qseecom_qteec_issue_cmd(struct qseecom_dev_handle *data,

					void *cmd_buf = NULL;

					size_t cmd_len;

					struct sglist_info *table = data->sglistinfo_ptr;

					void *req_ptr = NULL;

					void *resp_ptr = NULL;

					ret  = __qseecom_qteec_validate_msg(data, req);

					if (ret)

						return ret;

					req_ptr = req->req_ptr;

					resp_ptr = req->resp_ptr;

					/* find app_id & img_name from list */

					spin_lock_irqsave(&qseecom.registered_app_list_lock, flags);

					list_for_each_entry(ptr_app, &qseecom.registered_app_list_head,

				@ -6520,6 +6529,11 @@ static int __qseecom_qteec_issue_cmd(struct qseecom_dev_handle *data,

						return -ENOENT;

					}

					req->req_ptr = (void *)__qseecom_uvirt_to_kvirt(data,

										(uintptr_t)req->req_ptr);

					req->resp_ptr = (void *)__qseecom_uvirt_to_kvirt(data,

										(uintptr_t)req->resp_ptr);

					if ((cmd_id == QSEOS_TEE_OPEN_SESSION) ||

							(cmd_id == QSEOS_TEE_REQUEST_CANCELLATION)) {

						ret = __qseecom_update_qteec_req_buf(

				@ -6531,10 +6545,10 @@ static int __qseecom_qteec_issue_cmd(struct qseecom_dev_handle *data,

					if (qseecom.qsee_version < QSEE_VERSION_40) {

						ireq.app_id = data->client.app_id;

						ireq.req_ptr = (uint32_t)__qseecom_uvirt_to_kphys(data,

										(uintptr_t)req->req_ptr);

										(uintptr_t)req_ptr);

						ireq.req_len = req->req_len;

						ireq.resp_ptr = (uint32_t)__qseecom_uvirt_to_kphys(data,

										(uintptr_t)req->resp_ptr);

										(uintptr_t)resp_ptr);

						ireq.resp_len = req->resp_len;

						ireq.sglistinfo_ptr = (uint32_t)virt_to_phys(table);

						ireq.sglistinfo_len = SGLISTINFO_TABLE_SIZE;

				@ -6545,10 +6559,10 @@ static int __qseecom_qteec_issue_cmd(struct qseecom_dev_handle *data,

					} else {

						ireq_64bit.app_id = data->client.app_id;

						ireq_64bit.req_ptr = (uint64_t)__qseecom_uvirt_to_kphys(data,

										(uintptr_t)req->req_ptr);

										(uintptr_t)req_ptr);

						ireq_64bit.req_len = req->req_len;

						ireq_64bit.resp_ptr = (uint64_t)__qseecom_uvirt_to_kphys(data,

										(uintptr_t)req->resp_ptr);

										(uintptr_t)resp_ptr);

						ireq_64bit.resp_len = req->resp_len;

						if ((data->client.app_arch == ELFCLASS32) &&

							((ireq_64bit.req_ptr >=