platform: msm_shared: Avoid the integer overflow in qseecom
Avoid the possible integer overflow in rounding up the keymaster partition
size.
Change-Id: I0e119881723931b0913b6a185b80008b2bb0d17f
diff --git a/platform/msm_shared/qseecom_lk.c b/platform/msm_shared/qseecom_lk.c
index 445904a..563d1e5 100644
--- a/platform/msm_shared/qseecom_lk.c
+++ b/platform/msm_shared/qseecom_lk.c
@@ -1,4 +1,4 @@
-/* Copyright (c) 2012-2015, The Linux Foundation. All rights reserved.
+/* Copyright (c) 2012-2015,2017 The Linux Foundation. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are
@@ -555,6 +555,7 @@
int index = INVALID_PTN;
unsigned long long ptn = 0;
unsigned long long size = 0;
+ unsigned long long rounded_size = 0;
void *buf = NULL;
void *req = NULL;
struct qseecom_load_app_ireq load_req = {0};
@@ -572,8 +573,13 @@
mmc_set_lun(lun);
size = partition_get_size(index);
-
- buf = memalign(PAGE_SIZE, ROUNDUP(size, PAGE_SIZE));
+ if ((ULLONG_MAX - PAGE_SIZE + 1) < size) {
+ dprintf(CRITICAL, "Integer overflow detected in rounding up the partition size!");
+ ret = GENERIC_ERROR;
+ goto err;
+ }
+ rounded_size = ROUNDUP(size, PAGE_SIZE);
+ buf = memalign(PAGE_SIZE, rounded_size);
if (!buf) {
dprintf(CRITICAL, "%s: Aloc failed for %s image\n",
__func__, app_name);
@@ -624,6 +630,7 @@
int index = INVALID_PTN;
unsigned long long ptn = 0;
unsigned long long size = 0;
+ unsigned long long rounded_size = 0;
void *buf = NULL;
void *req = NULL;
struct qseecom_load_app_ireq load_req = {0};
@@ -637,8 +644,13 @@
mmc_set_lun(lun);
size = partition_get_size(index);
-
- buf = memalign(PAGE_SIZE, ROUNDUP(size, PAGE_SIZE));
+ if ((ULLONG_MAX - PAGE_SIZE + 1) < size) {
+ dprintf(CRITICAL, "Integer overflow detected in rounding up the partition size!");
+ ret = GENERIC_ERROR;
+ goto err;
+ }
+ rounded_size = ROUNDUP(size, PAGE_SIZE);
+ buf = memalign(PAGE_SIZE, rounded_size);
if (!buf) {
dprintf(CRITICAL, "%s: Aloc failed for %s image\n",
__func__, app_name);