qseecom: Validate pointer offset in qseecom_send_modfd_cmd
Validate cmd_req_buf pointer offset in qseecom_send_modfy_cmd, and
make sure cmd buffer address to be within shared bufffer.
Signed-off-by: Zhen Kong <zkong@codeaurora.org>
Change-Id: I431511a92ab2cccbc2daebc0cf76cc3872689a97
Signed-off-by: Zhen Kong <zkong@codeaurora.org>
Signed-off-by: Vignesh Veeramani <quicvignes@codeaurora.org>
diff --git a/drivers/misc/qseecom.c b/drivers/misc/qseecom.c
index 3423032..f269159 100644
--- a/drivers/misc/qseecom.c
+++ b/drivers/misc/qseecom.c
@@ -2,7 +2,7 @@
/*Qualcomm Secure Execution Environment Communicator (QSEECOM) driver
*
- * Copyright (c) 2012, The Linux Foundation. All rights reserved.
+ * Copyright (c) 2012-2014, The Linux Foundation. All rights reserved.
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License version 2 and
@@ -1191,6 +1191,31 @@
pr_err("copy_from_user failed\n");
return ret;
}
+
+ if (req.cmd_req_buf == NULL || req.resp_buf == NULL) {
+ pr_err("cmd buffer or response buffer is null\n");
+ return -EINVAL;
+ }
+ if (((uint32_t)req.cmd_req_buf < data->client.user_virt_sb_base) ||
+ ((uint32_t)req.cmd_req_buf >= (data->client.user_virt_sb_base +
+ data->client.sb_length))) {
+ pr_err("cmd buffer address not within shared bufffer\n");
+ return -EINVAL;
+ }
+
+ if (((uint32_t)req.resp_buf < data->client.user_virt_sb_base) ||
+ ((uint32_t)req.resp_buf >= (data->client.user_virt_sb_base +
+ data->client.sb_length))){
+ pr_err("response buffer address not within shared bufffer\n");
+ return -EINVAL;
+ }
+
+ if (req.cmd_req_len == 0 || req.cmd_req_len > data->client.sb_length ||
+ req.resp_len > data->client.sb_length) {
+ pr_err("cmd or response buffer length not valid\n");
+ return -EINVAL;
+ }
+
send_cmd_req.cmd_req_buf = req.cmd_req_buf;
send_cmd_req.cmd_req_len = req.cmd_req_len;
send_cmd_req.resp_buf = req.resp_buf;