qseecom: check invalid handle for app loaded query request

Check if the handle data type received from userspace is valid for app loaded query request to avoid the offset boundary check for qseecom_send_modfd_resp is bypassed. Change-Id: I5f3611a8f830d6904213781c5ba70cfc0ba3e2e0 Signed-off-by: Zhen Kong <zkong@codeaurora.org>
author: Zhen Kong <zkong@codeaurora.org> 2019-08-27 14:02:35 -0700
committer: Zhen Kong <zkong@codeaurora.org> 2019-08-30 14:51:37 -0700
commit: ccc8c4fcf682d2e0b44d0c18e87fcb19e0d224d7 (patch)
tree: 5d9da97eba275a47f350c40e2fef3aa42718f816 /drivers/misc
parent: 22dc337a69af6c8b2aceecb3cbaef9049ef4fb73 (diff)
1 files changed, 8 insertions, 1 deletions
diff --git a/drivers/misc/qseecom.c b/drivers/misc/qseecom.c
index e85b2b8972c9..c002f8cc1d33 100644
--- a/drivers/misc/qseecom.c
+++ b/drivers/misc/qseecom.c
@@ -1,6 +1,6 @@
 /*Qualcomm Secure Execution Environment Communicator (QSEECOM) driver
  *
- * Copyright (c) 2012-2018, The Linux Foundation. All rights reserved.
+ * Copyright (c) 2012-2019, The Linux Foundation. All rights reserved.
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License version 2 and
@@ -7281,6 +7281,13 @@ long qseecom_ioctl(struct file *file, unsigned cmd, unsigned long arg)
 		break;
 	}
 	case QSEECOM_IOCTL_APP_LOADED_QUERY_REQ: {
+		if ((data->type != QSEECOM_GENERIC) &&
+			(data->type != QSEECOM_CLIENT_APP)) {
+			pr_err("app loaded query req: invalid handle (%d)\n",
+								data->type);
+			ret = -EINVAL;
+			break;
+		}
 		data->type = QSEECOM_CLIENT_APP;
 		mutex_lock(&app_access_lock);
 		atomic_inc(&data->ioctl_count);
author	Zhen Kong <zkong@codeaurora.org>	2019-08-27 14:02:35 -0700
committer	Zhen Kong <zkong@codeaurora.org>	2019-08-30 14:51:37 -0700
commit	ccc8c4fcf682d2e0b44d0c18e87fcb19e0d224d7 (patch)
tree	5d9da97eba275a47f350c40e2fef3aa42718f816 /drivers/misc
parent	22dc337a69af6c8b2aceecb3cbaef9049ef4fb73 (diff)