msm:ADSPRPC :Fix to avoid Use after free in fastrpc_internal_munmap

Added a check to validate map before freeing it to avoid Use after free scenario. Change-Id: Ic723a4fe964a4909119663500018f2a07976105b Signed-off-by: Vamsi krishna Gattupalli <vgattupa@codeaurora.org> CVE-2021-1927
author: Vamsi krishna Gattupalli <vgattupa@codeaurora.org> 2020-12-02 12:59:03 +0530
committer: Davide Garberi <dade.garberi@gmail.com> 2021-10-07 20:10:10 +0200
commit: 71f46a46bd2166b992db3f2368dc654e388e5822 (patch)
tree: 046cf6e330da13a57f8c95661bc599bc7d95eede
parent: e059bd0713c3fc317a01956463f2ea856f7dfcff (diff)
1 files changed, 7 insertions, 5 deletions
diff --git a/drivers/char/adsprpc.c b/drivers/char/adsprpc.c
index a8d2d2968d49..b5b239eb6dc3 100644
--- a/drivers/char/adsprpc.c
+++ b/drivers/char/adsprpc.c
@@ -2335,11 +2335,13 @@ static int fastrpc_internal_munmap(struct fastrpc_file *fl,
 	VERIFY(err, !fastrpc_mmap_remove(fl, ud->vaddrout, ud->size, &map));
 	if (err)
 		goto bail;
-	VERIFY(err, !fastrpc_munmap_on_dsp(fl, map->raddr,
-				map->phys, map->size, map->flags));
-	if (err)
-		goto bail;
-	fastrpc_mmap_free(map);
+	if (map) {
+		VERIFY(err, !fastrpc_munmap_on_dsp(fl, map->raddr,
+					map->phys, map->size, map->flags));
+		if (err)
+			goto bail;
+		fastrpc_mmap_free(map);
+	}
 bail:
 	if (err && map)
 		fastrpc_mmap_add(map);
author	Vamsi krishna Gattupalli <vgattupa@codeaurora.org>	2020-12-02 12:59:03 +0530
committer	Davide Garberi <dade.garberi@gmail.com>	2021-10-07 20:10:10 +0200
commit	71f46a46bd2166b992db3f2368dc654e388e5822 (patch)
tree	046cf6e330da13a57f8c95661bc599bc7d95eede
parent	e059bd0713c3fc317a01956463f2ea856f7dfcff (diff)