To avoid access of variable after being freed, using
list_first_entry_safe function to iterate over list
of given type, safe against removal of list entry.
Change-Id: I70611fddf3e9b80b1affa3e5235be24eac0d0a58
Signed-off-by: Monika Singh <monising@codeaurora.org>
CVE-2018-11988
When unloading the app, reset all client members to NULL
to protect from accessing the memory after being freed.
Change-Id: I573b9c6fde03539522d2b04724a2246660c62518
Signed-off-by: jitendra thakare <jitendrathakare@codeaurora.org>
strlen is often used incorectly to get the length of strings
defined at compile time. In these cases, the behavior can be
replicated with sizeof(X) - 1, which is calculated at compile
time rather than runtime, reducing overhead. I've created a
simple macro to replace these instances and applied it to all
the files compiled into the angler kernel.
Signed-off-by: Joe Maples <joe@frap129.org>
Use put_user API to write the data from kernel space to
userspace to avoid accessing userspace memory directly
in kernel space.
Bug: 65468973
Change-Id: I7bdd702225ed179af841db9a67cc7b93eadf9dcc
Signed-off-by: Brahmaji K <bkomma@codeaurora.org>
Add mutex around qseecom_set_client_mem_param to prevent an
ioctl thread modifying and corrupting data which is being
processed by another ioctl in the other thread
Bug: 34327981
Change-Id: I0cfb8afab4001c2913be693dfe44c761b9568893
Signed-off-by: Zhen Kong <zkong@codeaurora.org>
Make change to improve input validation on request and response
buffers' address and length for qseecom_send_service_cmd.
Bug: 35400457
Change-Id: I047e3264333d767541e43b7dadd1727232fd48ef
Signed-off-by: Zhen Kong <zkong@codeaurora.org>
Make change in __qseecom_load_fw() and qseecom_load_commonlib_image()
to check buffer size before copying img to buffer.
CRs-fixed: 1080290
Bug: 35399405
Change-Id: I0f48666ac948a9571e249598ae7cc19df9036b1d
Signed-off-by: Zhen Kong <zkong@codeaurora.org>
Add whitelist support for listener to send modified resp to TZ;
also add whitelist support for kernel client; and change the method
to check whitelist feature.
Bug: 31268796
CRs-Fixed: 1021945
Change-Id: I0030b0008d6224cda3fdc1f80308a7e9bcfe4405
Signed-off-by: Zhen Kong <zkong@codeaurora.org>
Signed-off-by: Biswajit Paul <biswajitpaul@codeaurora.org>
The whitelist status is set default as true though TZ failed to check,
which in turn causing the send_command fail by passing whitelist commnd id.
So updating the support status flag to false when TZ fails to check.
Bug: 31268796
CRs-Fixed: 1021945
Change-Id: I78a7600506b4d2457bb1c38f8a39888a9cf9467c
Signed-off-by: Mallikarjuna Reddy Amireddy <mamire@codeaurora.org>
Signed-off-by: Zhen Kong <zkong@codeaurora.org>
Signed-off-by: Biswajit Paul <biswajitpaul@codeaurora.org>
To support whitelist feature, sglistinfo table should also
be allocated from qseecom kernel APIs used by kernel client.
Besides, initialize sg in __qseecom_update_cmd_buf_64 to
address a static analysis warning.
Bug: 31268796
CRs-Fixed: 1021945
Change-Id: I1f1967fd9e95444cca728f09e3e8f4914b2abb95
Signed-off-by: Zhen Kong <zkong@codeaurora.org>
Signed-off-by: Biswajit Paul <biswajitpaul@codeaurora.org>
qseecom_send_modfd_cmd converts ION buffer's virtual address to
scatter gather(SG) list and then sends them to TA by populating
SG list into message buffer. As the physical memory address in
SG list is used directly by TA, this allows a malicious TA to
access/corrupt arbitrary physical memory and may lead to the
process gaining kernel/root privileges. Thus, make changes to
have the QSEEComm driver passing a list of whitelist buffers
that is allowed to be mapped by TA, and the QSEE kernel, in turn,
should add checks to the register_shared_buffer syscall to make
sure the shared buffers an application is mapping falls within
one of these whitelist buffers.
Bug: 31268796
CRs-fixed: 1021945
Change-Id: I776ead0030cad167afcf41ab985db7151a42d126
Signed-off-by: Zhen Kong <zkong@codeaurora.org>
Signed-off-by: Biswajit Paul <biswajitpaul@codeaurora.org>
In an error handling case, the QSEECOM_IOCTL_LOAD_APP_REQ ioctl
freed the entry for new TA, but didn't removed it from
qseecom_registered_app_list. Make change to remove it.
Bug: 31804432
Change-Id: Id681fbf3c923027d3db875d506cbe3f971919a8d
Signed-off-by: Zhen Kong <zkong@codeaurora.org>
Signed-off-by: Mallikarjuna Reddy Amireddy <mamire@codeaurora.org>
qseecom still needs to free ion memory if unload app failed.
The previous xpu violation related to unload app failure is
actually due to race condition between send command, which
is fixed and now it is safe to free ion memory in error cases.
Change-Id: I7a09c753360eb015ece15c48ae1bb34e30479560
Bug: 31220655
Signed-off-by: Roopesh Rajashekharaiah Nataraja <roopeshr@codeaurora.org>
If a scm_call request to shutdown a TA fails, the TA is not shut down
and still in use, and the resources aren't necessarily leaked. Since
shared memory are still locked in this situation, ion shared memory
cannot be released, otherwise XPU violation occurs. Only need to
release shared memory if TA is unloaded success or that TA cannot
be found.
Change-Id: I971485fb541193f77960cc7ca14b5b09de938a43
Bug: 31220655
Signed-off-by: Roopesh Rajashekharaiah Nataraja <roopeshr@codeaurora.org>
To avoid memory leakage, make change to release ION memory if qseecom
failed to unload TZ app, which is allocated when starting app.
CRs-Fixed: 977073
Change-Id: Ic4c9a7d7a118ff5026ce6ce7769a4c053906ed2d
Bug: 31220655
Signed-off-by: Roopesh Rajashekharaiah Nataraja <roopeshr@codeaurora.org>
Format specifier %p can leak kernel addresses while not valuing the
kptr_restrict system settings. When kptr_restrict is set to (1), kernel
pointers printed using the %pK format specifier will be replaced with 0's.
So that %pK will not leak kernel pointers to unprivileged users.
So change the format specifier from %p to %pK.
Debugging Note : &pK prints only Zeros as address. if you need actual
address information, pls echo 0 to kptr_restrict.
$ echo 0 > /proc/sys/kernel/kptr_restrict
Bug: 31498159
Change-Id: I0baf2be2d5a476e2e4267f20b99d0ddf5492469e
Signed-off-by: Mallikarjuna Reddy Amireddy <mamire@codeaurora.org>
The resp_len and resp_buf_ptr of qseecom_send_modfd_listener_resp
are not checked, then an userspace application that manipulates
resp_len can corrupt the kernel memory. Thus make changes to
validate these parameters.
Bug: 29157595
CRs-fixed: 1036418
Change-Id: Id43ec6b55b332d0dac09a9abb998a410f49b44f7
Signed-off-by: Zhen Kong <zkong@codeaurora.org>
Signed-off-by: Biswajit Paul <biswajitpaul@codeaurora.org>
Remove the loading of commonlib when loaded by lk
Change-Id: Id8fcce391fc313fa6f2cbfa483358a0e73704895
Acked-by: Baranidharan Muthukumaran <bmuthuku@qti.qualcomm.com>
Signed-off-by: Zhen Kong <zkong@codeaurora.org>
Register the app in qseecom driver if it has been already loaded
by appsbl before.
Change-Id: Iec39137a7e18dc703c731e55955ab84d1b9c97f3
Signed-off-by: Zhen Kong <zkong@codeaurora.org>
Do not send app regin notification if qseecom in appsbl has
already done it.
Change-Id: I81ae9a991a5d8ec582d9320e18be1b6f8e8ee7fd
Signed-off-by: Zhen Kong <zkong@codeaurora.org>
Application name passed from the user space might be NULL or
corrupted, which if accessed later on might end up in NULL
pointer dereference.
Change-Id: I3c91c19a60cee209436218dd9ea370ef53c8c8b6
Signed-off-by: William Clark <wclark@codeaurora.org>
Change memcpy to strlcpy to only copy the string for app_name.
Change-Id: I46cf34c2d2fdbf24e9e65008555f762761c81dd7
Signed-off-by: William Clark <wclark@codeaurora.org>
While wiping the keys from multiple crypto, it is wiping keys from
same crypto due to wrong loop variable. Fixed the issue by using
correct variable.
Change-Id: I8e7f9d3a773ff1809fe9b71d8e7bee75e789deca
Signed-off-by: Dinesh K Garg <dineshg@codeaurora.org>
We've made changes on app session managements to save app name in
qseecom when loading app by userspace client. This change is to save
app name when loading app by kernel client, then qseecom can compare
the app name correctly when sending commands to TZ.
CRs-Fixed: 748491
Change-Id: I341a1a89f0e8a45056be7a5ce0a6a540842bc5dd
Signed-off-by: Zhen Kong <zkong@codeaurora.org>
Change sg_entry phys address to 32bit, so that QSEECom will send
32bit phy address to TZ as 8994 TZ APP will be remained as 32bit.
Change-Id: I9e486c7ee36869ab818389d4b656c86cc6aeb899
Signed-off-by: Zhen Kong <zkong@codeaurora.org>
Updated GP related code:
-Decouple GP related functionality from QSEE
-Add support for processing command in open session call
-Fix Invoke Command API to support contiguous memory only
-Add support for request cancellation command
Change-Id: I827e8fcdb09493266a21d3c4ae9456c2aa8457b3
Signed-off-by: Mona Hossain <mhossain@codeaurora.org>
Storage hardware can have embedded inline crypto engine(ICE). Current
key management system supports key storage mechanism for GPCE. ICE HW
requires a little differnt key management. Modifying exisiting KMS to
support ICE HW.
Change-Id: Ibcdbbffad71927c91ceb5d24939e0a80630ce466
Signed-off-by: Dinesh K Garg <dineshg@codeaurora.org>
Add checks for clock_no_support flag check before
initializing/enabling/disabling CLK_CE_DRV related clk.
Change-Id: I099cc4e3d4716b42a2a9fbaa12b44a9de6f45f63
Signed-off-by: Mona Hossain <mhossain@codeaurora.org>
Improve user input validation across send cmd APIs. Add new
API __validate_send_cmd_inputs() to validate all user provided
inputs.
Change-Id: Ibbb0c0e7e5483f653bd59b927562b63c1e43c365
Signed-off-by: Mona Hossain <mhossain@codeaurora.org>
Qseecom driver does not have boundary checks for offset within the
message. So this patch add checks to validate the offsets sent by
client to modify data within the command request message and it
should not exceed the memory allocated for that message.
Change-Id: I29bfbdc154eebb4f3f4bfbb31789562e37fa5886
Signed-off-by: Mona Hossain <mhossain@codeaurora.org>
Signed-off-by: Mallikarjuna Reddy Amireddy <mamire@codeaurora.org>
In current qseecom_suspend function, qseecom will scale down bus
bandwidth if both of accumultive mode and current mode are not
INACTIVE. But if device goes into suspend before bus scaling timeout
happens, the accumulative mode may be zero but current mode is
still not INACTIVE. This may prevent the device going to suspend,
thus, make a change to just check current bus scaling mode in
qseecom_suspend.
CRs-Fixed: 740287
Change-Id: I60e90000aa9efe428b144fb766e19e81312af66f
Signed-off-by: Zhen Kong <zkong@codeaurora.org>
To avoid the service failure on a target where bus scaling flag is not
enabled in target device tree file by mistake, make a change to enable/
disable crypto clocks when the client calls to scale up bus bandwidth
and send command even if bus scaling feature is not enabled.
CRs-Fixed: 726840
Change-Id: Ib33a535051b68561bde5ab6a23ad0f02dc27ab13
Signed-off-by: Zhen Kong <zkong@codeaurora.org>
Crypto operating frequency varies from target to target. So platform
specific data needs to provide the value.
Change-Id: Iccb1f627d45bfd5a2d2996b34a38eda389252aeb
Signed-off-by: Mallikarjuna Reddy Amireddy <mamire@codeaurora.org>
Make a change to free the ion memory allocated for keymaster client
even if keymaster app doesn't need to be unloaded from TZ, so as to
avoid memory leak.
CRs-Fixed: 724638
Change-Id: I3ddb68c8a3f96b0a44afc3efc63e93f0a8be51bb
Signed-off-by: Zhen Kong <zkong@codeaurora.org>
Make change to check if ce clock is enabled before sending command
to TZ, then to prevent data aborting if clock is not enabled for
TZ crypto operation.
CRs-Fixed: 726840
Change-Id: I55b5b10ad80e741c39f8cf411f67e6b83887f3bb
Signed-off-by: Zhen Kong <zkong@codeaurora.org>
On the target supporting ARMv8 smc interface, the scm call will return
failure if scm parsing failed or the syscall response result is negative.
Then when qseecom calls __qseecom_generate_and_save_key on a device that
the key is already created, scm call will return failure directly as the
syscall response result value in this case is negative. Thus, generate key
failed and set key will not be called. So, we make changes to check syscall
response results for key management APIs even when scm call return failure.
CRs-Fixed: 723967
Change-Id: Ibade34dfc8ad90b25f2712ed0cc3faae91daab51
Signed-off-by: Zhen Kong <zkong@codeaurora.org>
Implementing the ARMv8 version of qseecom_save_partition_hash
by calling scm_call2 with the proper paramaters
Until this change, only the ARMv7 version was implemented
(by calling scm_call) and ARMv8 version was missing
Without this change, ioctl QSEECOM_IOCTL_SAVE_PARTITION_HASH_REQ
fails on ARMv8 platforms and only works on ARMv7
CRs-Fixed: 714330
Change-Id: I855ca847d62a0ffd8dc59207b7ea3a0ac6f79d99
Signed-off-by: Jon Ronen-Drori <jonr@codeaurora.org>
data pointer validation is done after dereferencing it which might
throw an exception. This patch moves the data pointer validation
checks to starting of the function.
Change-Id: I12d201e53ad1d3098bf45c427553b048ca4d8ac0
Signed-off-by: AnilKumar Chimata <anilc@codeaurora.org>
Add new command to support QFPROM writes. This operation
can no longer be performed from the Linux kernel.
Change-Id: Ifeb599b7019f8568ebbcfd7222f5c5ce11e9143b
Acked-by: Kaushik Sikdar <ksikdar@qti.qualcomm.com>
Signed-off-by: Gilad Avidov <gavidov@codeaurora.org>
Monika Singh