summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorLinux Build Service Account <lnxbuild@localhost>2017-03-21 21:30:30 -0700
committerGerrit - the friendly Code Review server <code-review@localhost>2017-03-21 21:30:29 -0700
commit6887b6aad3282b63e1d0e4e4e5dacbc4097720bd (patch)
treea780690cd59bee8c912ee2e105fe77f88ef4c8d8
parent63739565ad6d6b9adabeed137261abd5d3c5663d (diff)
parent9f290f6e7955181262e0a32e871dd9010124c1f1 (diff)
Merge "qseecom: check img_len and mdt_len against ion buf len"
Diffstat
-rw-r--r--drivers/misc/qseecom.c14
1 files changed, 13 insertions, 1 deletions
diff --git a/drivers/misc/qseecom.c b/drivers/misc/qseecom.c
index 78f03fc75761..9855bee67627 100644
--- a/drivers/misc/qseecom.c
+++ b/drivers/misc/qseecom.c
@@ -2333,7 +2333,13 @@ static int qseecom_load_app(struct qseecom_dev_handle *data, void __user *argp)
ret);
goto loadapp_err;
}
-
+ if (load_img_req.mdt_len > len || load_img_req.img_len > len) {
+ pr_err("ion len %zu is smaller than mdt_len %u or img_len %u\n",
+ len, load_img_req.mdt_len,
+ load_img_req.img_len);
+ ret = -EINVAL;
+ goto loadapp_err;
+ }
/* Populate the structure for sending scm call to load image */
if (qseecom.qsee_version < QSEE_VERSION_40) {
load_req.qsee_cmd_id = QSEOS_APP_START_COMMAND;
@@ -5149,6 +5155,12 @@ static int qseecom_load_external_elf(struct qseecom_dev_handle *data,
ret);
return ret;
}
+ if (load_img_req.mdt_len > len || load_img_req.img_len > len) {
+ pr_err("ion len %zu is smaller than mdt_len %u or img_len %u\n",
+ len, load_img_req.mdt_len,
+ load_img_req.img_len);
+ return ret;
+ }
/* Populate the structure for sending scm call to load image */
if (qseecom.qsee_version < QSEE_VERSION_40) {
load_req.qsee_cmd_id = QSEOS_LOAD_EXTERNAL_ELF_COMMAND;
generated by cgit v1.2.3 (git 2.39.1) at 2024-10-17 21:44:41 +0000