Gitiles
Code Review Sign In
review.shift-gmbh.com / SHIFTPHONES / android_kernel_shift_sdm845 / 4c9bd731207dd7d5831daedb890c573aeca98838^! / .
commit4c9bd731207dd7d5831daedb890c573aeca98838[log] [tgz]
authorZhen Kong <zkong@codeaurora.org>Mon Jul 29 16:53:14 2019 -0700
committerAlexander Martinz <alex@amartinz.at>Mon Oct 17 14:57:54 2022 +0200
tree4d9998a75a3577411688282b6467fc6b8250438a
parent4ba73f1f87810f11a0e887847af19accffc23fa2 [diff]
qseecom: correct range check in __qseecom_update_qteec_req_buf

Make change to validate if there exists enough space to write a
struct qseecom_param_memref instead of a unit32 value, in the
request buffer in __qseecom_update_qteec_req_buf.

Change-Id: I4e092f7aa2b23648c2cedfada311828b9ceb35dc
Signed-off-by: Zhen Kong <zkong@codeaurora.org>

diff --git a/drivers/misc/qseecom.c b/drivers/misc/qseecom.c
index e0386cbc..c870fa9 100644
--- a/drivers/misc/qseecom.c
+++ b/drivers/misc/qseecom.c

@@ -6805,9 +6805,11 @@ static int __qseecom_update_qteec_req_buf(struct qseecom_qteec_modfd_req *req,
 				pr_err("Ion client can't retrieve the handle\n");
 				return -ENOMEM;
 			}
-			if ((req->req_len < sizeof(uint32_t)) ||
+			if ((req->req_len <
+				sizeof(struct qseecom_param_memref)) ||
 				(req->ifd_data[i].cmd_buf_offset >
-				req->req_len - sizeof(uint32_t))) {
+				req->req_len -
+				sizeof(struct qseecom_param_memref))) {
 				pr_err("Invalid offset/req len 0x%x/0x%x\n",
 					req->req_len,
 					req->ifd_data[i].cmd_buf_offset);