diff options
| author | Mohammed Javid <mjavid@codeaurora.org> | 2017-10-03 13:10:05 +0530 |
|---|---|---|
| committer | Gerrit - the friendly Code Review server <code-review@localhost> | 2017-10-05 20:24:29 -0700 |
| commit | 468686f581b558eb763423fdd9fe410194d6feab (patch) | |
| tree | b03327d329efb27bf20ceb02e4cf178278b50143 | |
| parent | b889d4d995a275107a434572ec53421b774aab22 (diff) | |
msm: ipa: Fix use after free issue
Added code changes to avoid use after free
by having local copy and
cache it upon successful return.
Change-Id: Iffac9ba89658b986bd8b630d22af619300e0ff5d
Signed-off-by: Mohammed Javid <mjavid@codeaurora.org>
| -rw-r--r-- | drivers/platform/msm/ipa/ipa_v2/ipa.c | 7 | ||||
| -rw-r--r-- | drivers/platform/msm/ipa/ipa_v3/ipa.c | 7 |
2 files changed, 10 insertions, 4 deletions
diff --git a/drivers/platform/msm/ipa/ipa_v2/ipa.c b/drivers/platform/msm/ipa/ipa_v2/ipa.c index df741c1c8e5f..9e19fa625daa 100644 --- a/drivers/platform/msm/ipa/ipa_v2/ipa.c +++ b/drivers/platform/msm/ipa/ipa_v2/ipa.c @@ -536,6 +536,7 @@ static int ipa_send_wan_msg(unsigned long usr_param, uint8_t msg_type, bool is_c int retval; struct ipa_wan_msg *wan_msg; struct ipa_msg_meta msg_meta; + struct ipa_wan_msg cache_wan_msg; wan_msg = kzalloc(sizeof(struct ipa_wan_msg), GFP_KERNEL); if (!wan_msg) { @@ -549,6 +550,8 @@ static int ipa_send_wan_msg(unsigned long usr_param, uint8_t msg_type, bool is_c return -EFAULT; } + memcpy(&cache_wan_msg, wan_msg, sizeof(cache_wan_msg)); + memset(&msg_meta, 0, sizeof(struct ipa_msg_meta)); msg_meta.msg_type = msg_type; msg_meta.msg_len = sizeof(struct ipa_wan_msg); @@ -565,8 +568,8 @@ static int ipa_send_wan_msg(unsigned long usr_param, uint8_t msg_type, bool is_c /* cache the cne event */ memcpy(&ipa_ctx->ipa_cne_evt_req_cache[ ipa_ctx->num_ipa_cne_evt_req].wan_msg, - wan_msg, - sizeof(struct ipa_wan_msg)); + &cache_wan_msg, + sizeof(cache_wan_msg)); memcpy(&ipa_ctx->ipa_cne_evt_req_cache[ ipa_ctx->num_ipa_cne_evt_req].msg_meta, diff --git a/drivers/platform/msm/ipa/ipa_v3/ipa.c b/drivers/platform/msm/ipa/ipa_v3/ipa.c index fd503f48f17c..ecd532c2ec67 100644 --- a/drivers/platform/msm/ipa/ipa_v3/ipa.c +++ b/drivers/platform/msm/ipa/ipa_v3/ipa.c @@ -603,6 +603,7 @@ static int ipa3_send_wan_msg(unsigned long usr_param, uint8_t msg_type, bool is_ int retval; struct ipa_wan_msg *wan_msg; struct ipa_msg_meta msg_meta; + struct ipa_wan_msg cache_wan_msg; wan_msg = kzalloc(sizeof(struct ipa_wan_msg), GFP_KERNEL); if (!wan_msg) { @@ -616,6 +617,8 @@ static int ipa3_send_wan_msg(unsigned long usr_param, uint8_t msg_type, bool is_ return -EFAULT; } + memcpy(&cache_wan_msg, wan_msg, sizeof(cache_wan_msg)); + memset(&msg_meta, 0, sizeof(struct ipa_msg_meta)); msg_meta.msg_type = msg_type; msg_meta.msg_len = sizeof(struct ipa_wan_msg); @@ -632,8 +635,8 @@ static int ipa3_send_wan_msg(unsigned long usr_param, uint8_t msg_type, bool is_ /* cache the cne event */ memcpy(&ipa3_ctx->ipa_cne_evt_req_cache[ ipa3_ctx->num_ipa_cne_evt_req].wan_msg, - wan_msg, - sizeof(struct ipa_wan_msg)); + &cache_wan_msg, + sizeof(cache_wan_msg)); memcpy(&ipa3_ctx->ipa_cne_evt_req_cache[ ipa3_ctx->num_ipa_cne_evt_req].msg_meta, |