5baaa9beb0
qseecom_send_modfd_cmd converts ION buffer's virtual address to scatter gather(SG) list and then sends them to TA by populating SG list into message buffer. As the physical memory address in SG list is used directly by TA, this allows a malicious TA to access/corrupt arbitrary physical memory and may lead to the process gaining kernel/root privileges. Thus, make changes to have the QSEEComm driver passing a list of whitelist buffers that is allowed to be mapped by TA, and the QSEE kernel, in turn, should add checks to the register_shared_buffer syscall to make sure the shared buffers an application is mapping falls within one of these whitelist buffers. CRs-fixed: 1021945 Change-Id: I776ead0030cad167afcf41ab985db7151a42d126 Signed-off-by: Zhen Kong <zkong@codeaurora.org> |
||
|---|---|---|
| .. | ||
| at91 | ||
| bcm2835 | ||
| brcmstb | ||
| imx | ||
| qcom | ||
| sa1100 | ||
| tegra | ||