platform: msm_shared: Fixed Heap overflow issue.
Changing the rounded size to unsigned long in
order to avoid truncation of size variable.
Change-Id: I87db38b50b1fc1944522f717502708681d7ee982
diff --git a/platform/msm_shared/qseecom_lk.c b/platform/msm_shared/qseecom_lk.c
index 717c2a5..d385fd5 100644
--- a/platform/msm_shared/qseecom_lk.c
+++ b/platform/msm_shared/qseecom_lk.c
@@ -1,4 +1,4 @@
-/* Copyright (c) 2012-2015,2017 The Linux Foundation. All rights reserved.
+/* Copyright (c) 2012-2015,2017-2018 The Linux Foundation. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are
@@ -47,7 +47,7 @@
#define MAX_SCM_ARGS 10
#define N_EXT_SCM_ARGS 7
#define FIRST_EXT_ARG_IDX 3
-
+#define MAX_TA_PARTITION_SIZE 0x00100000
#define N_REGISTER_ARGS (MAX_SCM_ARGS - N_EXT_SCM_ARGS + 1)
#define QSEE_LOG_BUF_SIZE (4096)
@@ -551,7 +551,7 @@
int index = INVALID_PTN;
unsigned long long ptn = 0;
unsigned long long size = 0;
- unsigned long long rounded_size = 0;
+ unsigned long rounded_size = 0;
void *buf = NULL;
void *req = NULL;
struct qseecom_load_app_ireq load_req = {0};
@@ -569,8 +569,8 @@
mmc_set_lun(lun);
size = partition_get_size(index);
- if ((ULLONG_MAX - PAGE_SIZE + 1) < size) {
- dprintf(CRITICAL, "Integer overflow detected in rounding up the partition size!");
+ if (MAX_TA_PARTITION_SIZE < size) {
+ dprintf(CRITICAL, "Invalid TA partition size!");
ret = GENERIC_ERROR;
goto err;
}
@@ -626,7 +626,7 @@
int index = INVALID_PTN;
unsigned long long ptn = 0;
unsigned long long size = 0;
- unsigned long long rounded_size = 0;
+ unsigned long rounded_size = 0;
void *buf = NULL;
void *req = NULL;
struct qseecom_load_app_ireq load_req = {0};
@@ -640,8 +640,8 @@
mmc_set_lun(lun);
size = partition_get_size(index);
- if ((ULLONG_MAX - PAGE_SIZE + 1) < size) {
- dprintf(CRITICAL, "Integer overflow detected in rounding up the partition size!");
+ if (MAX_TA_PARTITION_SIZE < size) {
+ dprintf(CRITICAL, "Invalid cmnlib partition size!");
ret = GENERIC_ERROR;
goto err;
}