platform: msm_shared: Avoid the integer overflow in qseecom
Avoid the possible integer overflow in rounding up the keymaster partition
size.
Issue: SEC-1603
Change-Id: I0e119881723931b0913b6a185b80008b2bb0d17f
(cherry picked from commit abe4f7042cbdef928ffc152335a17150fb39b096)
diff --git a/platform/msm_shared/qseecom_lk.c b/platform/msm_shared/qseecom_lk.c
index bd073a6..505126a 100644
--- a/platform/msm_shared/qseecom_lk.c
+++ b/platform/msm_shared/qseecom_lk.c
@@ -1,4 +1,4 @@
-/* Copyright (c) 2012-2015, The Linux Foundation. All rights reserved.
+/* Copyright (c) 2012-2015,2017 The Linux Foundation. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are
@@ -304,6 +304,7 @@
int index = INVALID_PTN;
unsigned long long ptn = 0;
unsigned long long size = 0;
+ unsigned long long rounded_size = 0;
void *buf = NULL;
void *req = NULL;
struct qseecom_load_app_ireq load_req = {0};
@@ -324,8 +325,13 @@
mmc_set_lun(lun);
size = partition_get_size(index);
-
- buf = memalign(PAGE_SIZE, ROUNDUP(size, PAGE_SIZE));
+ if ((ULLONG_MAX - PAGE_SIZE + 1) < size) {
+ dprintf(CRITICAL, "Integer overflow detected in rounding up the partition size!");
+ ret = GENERIC_ERROR;
+ goto err;
+ }
+ rounded_size = ROUNDUP(size, PAGE_SIZE);
+ buf = memalign(PAGE_SIZE, rounded_size);
if (!buf) {
dprintf(CRITICAL, "%s: Aloc failed for %s image\n",
__func__, app_name);
@@ -385,6 +391,7 @@
int index = INVALID_PTN;
unsigned long long ptn = 0;
unsigned long long size = 0;
+ unsigned long long rounded_size = 0;
void *buf = NULL;
void *req = NULL;
struct qseecom_load_app_ireq load_req = {0};
@@ -398,8 +405,13 @@
mmc_set_lun(lun);
size = partition_get_size(index);
-
- buf = memalign(PAGE_SIZE, ROUNDUP(size, PAGE_SIZE));
+ if ((ULLONG_MAX - PAGE_SIZE + 1) < size) {
+ dprintf(CRITICAL, "Integer overflow detected in rounding up the partition size!");
+ ret = GENERIC_ERROR;
+ goto err;
+ }
+ rounded_size = ROUNDUP(size, PAGE_SIZE);
+ buf = memalign(PAGE_SIZE, rounded_size);
if (!buf) {
dprintf(CRITICAL, "%s: Aloc failed for %s image\n",
__func__, app_name);