Gitiles
Code Review Sign In
gerrit-public.fairphone.software / kernel / lk / be2a9fa45a17b8d3acf43588a9d94abd988fefdb^! / . / platform / msm_shared / qseecom_lk.c
commitbe2a9fa45a17b8d3acf43588a9d94abd988fefdb[log] [tgz]
authorKishor PK <kpbhat@codeaurora.org>Thu Jul 27 13:26:52 2017 +0530
committerKishor PK <kpbhat@codeaurora.org>Thu Aug 17 18:38:43 2017 +0530
tree0c03d9eced8548c6789b0447daa47511bf5ecc83
parent9245c479dc3d1d44f76c463d08f4b0d370b4f9e4 [diff] [blame]
platform: msm_shared: Avoid the integer overflow in qseecom

Avoid the possible integer overflow in rounding up the keymaster partition
size.

Change-Id: I0e119881723931b0913b6a185b80008b2bb0d17f

diff --git a/platform/msm_shared/qseecom_lk.c b/platform/msm_shared/qseecom_lk.c
index 445904a..563d1e5 100644
--- a/platform/msm_shared/qseecom_lk.c
+++ b/platform/msm_shared/qseecom_lk.c

@@ -1,4 +1,4 @@
-/* Copyright (c) 2012-2015, The Linux Foundation. All rights reserved.
+/* Copyright (c) 2012-2015,2017 The Linux Foundation. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions are
@@ -555,6 +555,7 @@
 	int index = INVALID_PTN;
 	unsigned long long ptn = 0;
 	unsigned long long size = 0;
+	unsigned long long rounded_size = 0;
 	void *buf = NULL;
 	void *req = NULL;
 	struct qseecom_load_app_ireq load_req = {0};
@@ -572,8 +573,13 @@
 	mmc_set_lun(lun);
 
 	size = partition_get_size(index);
-
-	buf = memalign(PAGE_SIZE, ROUNDUP(size, PAGE_SIZE));
+	if ((ULLONG_MAX - PAGE_SIZE + 1) < size) {
+		dprintf(CRITICAL, "Integer overflow detected in rounding up the partition size!");
+		ret = GENERIC_ERROR;
+		goto err;
+	}
+	rounded_size = ROUNDUP(size, PAGE_SIZE);
+	buf = memalign(PAGE_SIZE, rounded_size);
 	if (!buf) {
 		dprintf(CRITICAL, "%s: Aloc failed for %s image\n",
 				__func__, app_name);
@@ -624,6 +630,7 @@
 	int index = INVALID_PTN;
 	unsigned long long ptn = 0;
 	unsigned long long size = 0;
+	unsigned long long rounded_size = 0;
 	void *buf = NULL;
 	void *req = NULL;
 	struct qseecom_load_app_ireq load_req = {0};
@@ -637,8 +644,13 @@
 	mmc_set_lun(lun);
 
 	size = partition_get_size(index);
-
-	buf = memalign(PAGE_SIZE, ROUNDUP(size, PAGE_SIZE));
+	if ((ULLONG_MAX - PAGE_SIZE + 1) < size) {
+		dprintf(CRITICAL, "Integer overflow detected in rounding up the partition size!");
+		ret = GENERIC_ERROR;
+		goto err;
+	}
+	rounded_size = ROUNDUP(size, PAGE_SIZE);
+	buf = memalign(PAGE_SIZE, rounded_size);
 	if (!buf) {
 		dprintf(CRITICAL, "%s: Aloc failed for %s image\n",
 				__func__, app_name);