Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 0ad56197 authored by Swathi K's avatar Swathi K
Browse files

msm: adsprpc: Handle UAF in fastrpc debugfs read 



Use lock to protect maps among multiple
threads to avoid race condition.

Change-Id: Ib0c83dd38ea8e5acb54a1478d10b02385c27ba31
Signed-off-by: default avatarSwathi K <quic_c_kataka@quicinc.com>
parent 0cf22593

drivers/char/adsprpc.c

+11 −0
Original line number Diff line number Diff line 
/*

 * Copyright (c) 2012-2021, The Linux Foundation. All rights reserved.

 * Copyright (c) 2022 Qualcomm Innovation Center, Inc. All rights reserved.

 *

 * This program is free software; you can redistribute it and/or modify

 * it under the terms of the GNU General Public License version 2 and
@@ -3476,6 +3477,7 @@ static ssize_t fastrpc_debugfs_read(struct file *filp, char __user *buffer, 
		len += scnprintf(fileinfo + len, DEBUGFS_SIZE - len,

			"%s%s%s%s%s\n", single_line, single_line,

			single_line, single_line, single_line);

		spin_lock(&me->hlock);

		hlist_for_each_entry_safe(gmaps, n, &me->maps, hn) {

		len += scnprintf(fileinfo + len, DEBUGFS_SIZE - len,

			"%-20d|0x%-18llX|0x%-18X|0x%-20lX\n\n",
@@ -3483,18 +3485,21 @@ static ssize_t fastrpc_debugfs_read(struct file *filp, char __user *buffer, 
			(uint32_t)gmaps->size,

			gmaps->va);

		}

		spin_unlock(&me->hlock);

		len += scnprintf(fileinfo + len, DEBUGFS_SIZE - len,

			"%-20s|%-20s|%-20s|%-20s\n",

			"len", "refs", "raddr", "flags");

		len += scnprintf(fileinfo + len, DEBUGFS_SIZE - len,

			"%s%s%s%s%s\n", single_line, single_line,

			single_line, single_line, single_line);

		spin_lock(&me->hlock);

		hlist_for_each_entry_safe(gmaps, n, &me->maps, hn) {

		len += scnprintf(fileinfo + len, DEBUGFS_SIZE - len,

			"0x%-18X|%-20d|%-20lu|%-20u\n",

			(uint32_t)gmaps->len, gmaps->refs,

			gmaps->raddr, gmaps->flags);

		}

		spin_unlock(&me->hlock);

	} else {

		len += scnprintf(fileinfo + len, DEBUGFS_SIZE - len,

			 "\n%s %13s %d\n", "cid", ":", fl->cid);
@@ -3544,12 +3549,14 @@ static ssize_t fastrpc_debugfs_read(struct file *filp, char __user *buffer, 
			"%s%s%s%s%s\n",

			single_line, single_line, single_line,

			single_line, single_line);

		mutex_lock(&fl->map_mutex);

		hlist_for_each_entry_safe(map, n, &fl->maps, hn) {

		len += scnprintf(fileinfo + len, DEBUGFS_SIZE - len,

			"0x%-20lX|0x%-20llX|0x%-20zu\n\n",

			map->va, map->phys,

			map->size);

		}

		mutex_unlock(&fl->map_mutex);

		len += scnprintf(fileinfo + len, DEBUGFS_SIZE - len,

			"%-20s|%-20s|%-20s|%-20s\n",

			"len", "refs",
@@ -3558,23 +3565,27 @@ static ssize_t fastrpc_debugfs_read(struct file *filp, char __user *buffer, 
			"%s%s%s%s%s\n",

			single_line, single_line, single_line,

			single_line, single_line);

		mutex_lock(&fl->map_mutex);

		hlist_for_each_entry_safe(map, n, &fl->maps, hn) {

		len += scnprintf(fileinfo + len, DEBUGFS_SIZE - len,

			"%-20zu|%-20d|0x%-20lX|%-20d\n\n",

			map->len, map->refs, map->raddr,

			map->uncached);

		}

		mutex_unlock(&fl->map_mutex);

		len += scnprintf(fileinfo + len, DEBUGFS_SIZE - len,

			"%-20s|%-20s\n", "secure", "attr");

		len += scnprintf(fileinfo + len, DEBUGFS_SIZE - len,

			"%s%s%s%s%s\n",

			single_line, single_line, single_line,

			single_line, single_line);

		mutex_lock(&fl->map_mutex);

		hlist_for_each_entry_safe(map, n, &fl->maps, hn) {

		len += scnprintf(fileinfo + len, DEBUGFS_SIZE - len,

			"%-20d|0x%-20lX\n\n",

			map->secure, map->attr);

		}

		mutex_unlock(&fl->map_mutex);

		len += scnprintf(fileinfo + len, DEBUGFS_SIZE - len,

				"%s %d\n\n",

				"KERNEL MEMORY ALLOCATION:", 1);