diff options
| author | Swathi K <kataka@codeaurora.org> | 2021-07-16 17:38:41 +0530 |
|---|---|---|
| committer | Swathi K <kataka@codeaurora.org> | 2021-07-16 17:38:41 +0530 |
| commit | c8f02f7da0ff73f1c319fb9210dc8fc0cb8bf1e6 (patch) | |
| tree | 8d9ce2939795bc9e2fa3613f6125582913ec8bc0 | |
| parent | b6e4686fb49d02526358d39737549686850e85ae (diff) | |
msm: adsprpc: Handle UAF in process shell memory
Added flag to indicate memory used
in process initialization. And, this memory
would not removed in internal unmap to avoid
UAF or double free.
Change-Id: Ifa621dee171b3d1f98b82302c847f4d767f3e736
Signed-off-by: Swathi K <kataka@codeaurora.org>
| -rw-r--r-- | drivers/char/adsprpc.c | 16 |
1 files changed, 11 insertions, 5 deletions
diff --git a/drivers/char/adsprpc.c b/drivers/char/adsprpc.c index f2be7f119e8c..bdcf3a7ee4ee 100644 --- a/drivers/char/adsprpc.c +++ b/drivers/char/adsprpc.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 2012-2020, The Linux Foundation. All rights reserved. + * Copyright (c) 2012-2021, The Linux Foundation. All rights reserved. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 and @@ -297,6 +297,7 @@ struct fastrpc_mmap { int uncached; int secure; uintptr_t attr; + bool is_filemap; /*flag to indicate map used in process init*/ }; struct fastrpc_perf { @@ -556,9 +557,10 @@ static int fastrpc_mmap_remove(struct fastrpc_file *fl, uintptr_t va, spin_lock(&me->hlock); hlist_for_each_entry_safe(map, n, &me->maps, hn) { - if (map->raddr == va && + if (map->refs == 1 && map->raddr == va && map->raddr + map->len == va + len && - map->refs == 1) { + /*Remove map if not used in process initialization*/ + !map->is_filemap) { match = map; hlist_del_init(&map->hn); break; @@ -571,9 +573,10 @@ static int fastrpc_mmap_remove(struct fastrpc_file *fl, uintptr_t va, } spin_lock(&fl->hlock); hlist_for_each_entry_safe(map, n, &fl->maps, hn) { - if (map->raddr == va && + if (map->refs == 1 && map->raddr == va && map->raddr + map->len == va + len && - map->refs == 1) { + /*Remove map if not used in process initialization*/ + !map->is_filemap) { match = map; hlist_del_init(&map->hn); break; @@ -711,6 +714,7 @@ static int fastrpc_mmap_create(struct fastrpc_file *fl, int fd, unsigned attr, map->fl = fl; map->fd = fd; map->attr = attr; + map->is_filemap = false; if (mflags == ADSP_MMAP_HEAP_ADDR || mflags == ADSP_MMAP_REMOTE_HEAP_ADDR) { DEFINE_DMA_ATTRS(rh_attrs); @@ -1900,6 +1904,8 @@ static int fastrpc_init_process(struct fastrpc_file *fl, if (init->filelen) { VERIFY(err, !fastrpc_mmap_create(fl, init->filefd, 0, init->file, init->filelen, mflags, &file)); + if (file) + file->is_filemap = true; if (err) goto bail; } |