diff options
| author | Swathi K <kataka@codeaurora.org> | 2021-07-13 13:09:31 +0530 |
|---|---|---|
| committer | Gerrit - the friendly Code Review server <code-review@localhost> | 2021-07-16 03:08:38 -0700 |
| commit | 7504736e87258b542aeedf47460364b30b8cb79d (patch) | |
| tree | bb15ff8e42173217e2aa9ba8ba7ae71f70a794f8 | |
| parent | 994e5922a0c225b877a4b3790830b7edc7b7807b (diff) | |
msm: adsprpc: Handle UAF in process shell memory
Added flag to indicate memory used
in process initialization. And, this memory
would not removed in internal unmap to avoid
UAF or double free.
Change-Id: I99e8e4f94644c5d47b4863f89b308bd5de49c1d7
Signed-off-by: Swathi K <kataka@codeaurora.org>
| -rw-r--r-- | drivers/char/adsprpc.c | 17 |
1 files changed, 12 insertions, 5 deletions
diff --git a/drivers/char/adsprpc.c b/drivers/char/adsprpc.c index f2be7f119e8c..a21bde22c830 100644 --- a/drivers/char/adsprpc.c +++ b/drivers/char/adsprpc.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 2012-2020, The Linux Foundation. All rights reserved. + * Copyright (c) 2012-2021, The Linux Foundation. All rights reserved. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 and @@ -297,6 +297,8 @@ struct fastrpc_mmap { int uncached; int secure; uintptr_t attr; + bool is_filemap; + /*flag to indicate map used in process init*/ }; struct fastrpc_perf { @@ -556,9 +558,10 @@ static int fastrpc_mmap_remove(struct fastrpc_file *fl, uintptr_t va, spin_lock(&me->hlock); hlist_for_each_entry_safe(map, n, &me->maps, hn) { - if (map->raddr == va && + if (map->refs == 1 && map->raddr == va && map->raddr + map->len == va + len && - map->refs == 1) { + /*Remove map if not used in process initialization*/ + !map->is_filemap) { match = map; hlist_del_init(&map->hn); break; @@ -571,9 +574,10 @@ static int fastrpc_mmap_remove(struct fastrpc_file *fl, uintptr_t va, } spin_lock(&fl->hlock); hlist_for_each_entry_safe(map, n, &fl->maps, hn) { - if (map->raddr == va && + if (map->refs == 1 && map->raddr == va && map->raddr + map->len == va + len && - map->refs == 1) { + /*Remove map if not used in process initialization*/ + !map->is_filemap) { match = map; hlist_del_init(&map->hn); break; @@ -711,6 +715,7 @@ static int fastrpc_mmap_create(struct fastrpc_file *fl, int fd, unsigned attr, map->fl = fl; map->fd = fd; map->attr = attr; + map->is_filemap = false; if (mflags == ADSP_MMAP_HEAP_ADDR || mflags == ADSP_MMAP_REMOTE_HEAP_ADDR) { DEFINE_DMA_ATTRS(rh_attrs); @@ -1900,6 +1905,8 @@ static int fastrpc_init_process(struct fastrpc_file *fl, if (init->filelen) { VERIFY(err, !fastrpc_mmap_create(fl, init->filefd, 0, init->file, init->filelen, mflags, &file)); + if (file) + file->is_filemap = true; if (err) goto bail; } |