Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit fc548a59 authored by Mohammed Nayeem Ur Rahman's avatar Mohammed Nayeem Ur Rahman
Browse files

msm: adsprpc: Variable map may UAF due to race conditions 



Variable map may pointing to the same buffer on race conditions
in functions fastrpc_internal_mmap, fastrpc_internal_munmap and,
fastrpc_internal_munmap_fd. Use mutex to avoid race conditions
on same buffer.

Change-Id: Ic51bce81a92b68516c9bdcf4f9955a06392d75e8
Acked-by: default avatarKrishnaiah Tadakamalla <ktadakam@qti.qualcomm.com>
Signed-off-by: default avatarSigned-off-by: Mohammed Nayeem Ur Rahman <mohara@codeaurora.org>
parent b3a2604d

drivers/char/adsprpc.c

+4 −1
Original line number Diff line number Diff line 
/*

 * Copyright (c) 2012-2019, The Linux Foundation. All rights reserved.

 * Copyright (c) 2012-2020, The Linux Foundation. All rights reserved.

 *

 * This program is free software; you can redistribute it and/or modify

 * it under the terms of the GNU General Public License version 2 and
@@ -2722,6 +2722,7 @@ static int fastrpc_internal_munmap_fd(struct fastrpc_file *fl, 
	VERIFY(err, (fl && ud));

	if (err)

		goto bail;

	mutex_lock(&fl->map_mutex);

	mutex_lock(&fl->fl_map_mutex);

	if (fastrpc_mmap_find(fl, ud->fd, ud->va, ud->len, 0, 0, &map)) {

		pr_err("adsprpc: mapping not found to unmap %d va %llx %x\n",
@@ -2729,11 +2730,13 @@ static int fastrpc_internal_munmap_fd(struct fastrpc_file *fl, 
			(unsigned int)ud->len);

		err = -1;

		mutex_unlock(&fl->fl_map_mutex);

		mutex_unlock(&fl->map_mutex);

		goto bail;

	}

	if (map)

		fastrpc_mmap_free(map, 0);

	mutex_unlock(&fl->fl_map_mutex);

	mutex_unlock(&fl->map_mutex);

bail:

	return err;

}