From f05c122197e45599a778eeeddd614fad59042020 Mon Sep 17 00:00:00 2001 From: Abir Ghosh Date: Tue, 11 Apr 2017 10:01:15 +0530 Subject: [PATCH 1/2] qbt1000: Terminate fingerprint TA name with null Terminate the string, coming from userspace and containing the name of fingerprint trusted app, with null character, to make sure kernel memory does not leak into logs Change-Id: I1668a64fcb6747ce3ef3b1ee6321fa5fa4a1798a CRs-Fixed: 2029409 Signed-off-by: Abir Ghosh Signed-off-by: Kota Priyanka --- drivers/soc/qcom/qbt1000.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/drivers/soc/qcom/qbt1000.c b/drivers/soc/qcom/qbt1000.c index 4e7b759ac810..a9a7a19a845c 100644 --- a/drivers/soc/qcom/qbt1000.c +++ b/drivers/soc/qcom/qbt1000.c @@ -368,6 +368,7 @@ static long qbt1000_ioctl( } pr_debug("app %s load before\n", app.name); + app.name[MAX_NAME_SIZE - 1] = '\0'; /* start the TZ app */ rc = qseecom_start_app( @@ -381,7 +382,8 @@ static long qbt1000_ioctl( pr_err("App %s failed to set bw\n", app.name); } } else { - pr_err("app %s failed to load\n", app.name); + dev_err(drvdata->dev, "%s: Fingerprint Trusted App failed to load\n", + __func__); goto end; } From 0e8b39234e25599911424c5b422b6beb97559a55 Mon Sep 17 00:00:00 2001 From: Abir Ghosh Date: Fri, 12 May 2017 09:16:34 +0530 Subject: [PATCH 2/2] qbt1000: Fix for incorrect buffer size check and integer overflow Fix an incorrect buffer size check which might have caused integer overflow. CRs-Fixed: 2045285 Change-Id: I3b5b996c7405f51b488d6cbda31c81a9a9905f23 Signed-off-by: Abir Ghosh Signed-off-by: Kota Priyanka --- drivers/soc/qcom/qbt1000.c | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) diff --git a/drivers/soc/qcom/qbt1000.c b/drivers/soc/qcom/qbt1000.c index a9a7a19a845c..5323a9fe5e77 100644 --- a/drivers/soc/qcom/qbt1000.c +++ b/drivers/soc/qcom/qbt1000.c @@ -150,18 +150,17 @@ static int get_cmd_rsp_buffers(struct qseecom_handle *hdl, uint32_t *rsp_len) { /* 64 bytes alignment for QSEECOM */ - *cmd_len = ALIGN(*cmd_len, 64); - *rsp_len = ALIGN(*rsp_len, 64); + uint64_t aligned_cmd_len = ALIGN((uint64_t)*cmd_len, 64); + uint64_t aligned_rsp_len = ALIGN((uint64_t)*rsp_len, 64); - if (((uint64_t)*rsp_len + (uint64_t)*cmd_len) - > (uint64_t)g_app_buf_size) { - pr_err("buffer too small to hold cmd=%d and rsp=%d\n", - *cmd_len, *rsp_len); + if ((aligned_rsp_len + aligned_cmd_len) > (uint64_t)g_app_buf_size) return -ENOMEM; - } *cmd = hdl->sbuf; + *cmd_len = aligned_cmd_len; *rsp = hdl->sbuf + *cmd_len; + *rsp_len = aligned_rsp_len; + return 0; }