Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 44a13331 authored by Armaan Siddiqui's avatar Armaan Siddiqui
Browse files

msm: ipa: fix potential race condition ioctls 



There are potential race condition ioctls in
the IPA driver when it copies the actual
arguments from the user-space memory to the
IPA-driver. The fix is to add check on the
2nd copy to make sure the same payload size
is copied to the pre-allocated kernel memory
as during the 1st copy.

Change-Id: I3d31cb11a24e969db4fd1728cf6ab1ce983a75e9
Signed-off-by: default avatarArmaan Siddiqui <asiddiqu@codeaurora.org>
parent 2d8289ca

drivers/platform/msm/ipa/ipa_v3/ipa.c

+64 −1
Original line number Original line Diff line number Diff line 
// SPDX-License-Identifier: GPL-2.0-only

// SPDX-License-Identifier: GPL-2.0-only

/*

/*

 * Copyright (c) 2012-2020, The Linux Foundation. All rights reserved.

 * Copyright (c) 2012-2021, The Linux Foundation. All rights reserved.

 */

 */





#include <linux/clk.h>

#include <linux/clk.h>
@@ -746,6 +746,15 @@ static int ipa3_ioctl_add_rt_rule_v2(unsigned long arg) 
		retval = -EFAULT;

		retval = -EFAULT;

		goto free_param_kptr;

		goto free_param_kptr;

	}

	}

	/* add check in case user-space module compromised */

	if (unlikely(((struct ipa_ioc_add_rt_rule_v2 *)param)->num_rules

		!= pre_entry)) {

		IPAERR_RL("current %d pre %d\n",

			((struct ipa_ioc_add_rt_rule_v2 *)param)->

				num_rules, pre_entry);

			retval = -EFAULT;

			goto free_param_kptr;

	}

	/* alloc kernel pointer with actual payload size */

	/* alloc kernel pointer with actual payload size */

	kptr = kzalloc(pyld_sz, GFP_KERNEL);

	kptr = kzalloc(pyld_sz, GFP_KERNEL);

	if (!kptr) {

	if (!kptr) {
@@ -841,6 +850,15 @@ static int ipa3_ioctl_add_rt_rule_ext_v2(unsigned long arg) 
		retval = -EFAULT;

		retval = -EFAULT;

		goto free_param_kptr;

		goto free_param_kptr;

	}

	}

	/* add check in case user-space module compromised */

	if (unlikely(((struct ipa_ioc_add_rt_rule_ext_v2 *)param)->num_rules

		!= pre_entry)) {

		IPAERR_RL("current %d pre %d\n",

			((struct ipa_ioc_add_rt_rule_ext_v2 *)param)->

				num_rules, pre_entry);

			retval = -EFAULT;

			goto free_param_kptr;

	}

	/* alloc kernel pointer with actual payload size */

	/* alloc kernel pointer with actual payload size */

	kptr = kzalloc(pyld_sz, GFP_KERNEL);

	kptr = kzalloc(pyld_sz, GFP_KERNEL);

	if (!kptr) {

	if (!kptr) {
@@ -937,6 +955,15 @@ static int ipa3_ioctl_add_rt_rule_after_v2(unsigned long arg) 
		retval = -EFAULT;

		retval = -EFAULT;

		goto free_param_kptr;

		goto free_param_kptr;

	}

	}

	/* add check in case user-space module compromised */

	if (unlikely(((struct ipa_ioc_add_rt_rule_after_v2 *)param)->num_rules

		!= pre_entry)) {

		IPAERR_RL("current %d pre %d\n",

			((struct ipa_ioc_add_rt_rule_after_v2 *)param)->

				num_rules, pre_entry);

			retval = -EFAULT;

			goto free_param_kptr;

	}

	/* alloc kernel pointer with actual payload size */

	/* alloc kernel pointer with actual payload size */

	kptr = kzalloc(pyld_sz, GFP_KERNEL);

	kptr = kzalloc(pyld_sz, GFP_KERNEL);

	if (!kptr) {

	if (!kptr) {
@@ -1031,6 +1058,15 @@ static int ipa3_ioctl_mdfy_rt_rule_v2(unsigned long arg) 
		retval = -EFAULT;

		retval = -EFAULT;

		goto free_param_kptr;

		goto free_param_kptr;

	}

	}

	/* add check in case user-space module compromised */

	if (unlikely(((struct ipa_ioc_mdfy_rt_rule_v2 *)param)->num_rules

		!= pre_entry)) {

		IPAERR_RL("current %d pre %d\n",

			((struct ipa_ioc_mdfy_rt_rule_v2 *)param)->

				num_rules, pre_entry);

			retval = -EFAULT;

			goto free_param_kptr;

	}

	/* alloc kernel pointer with actual payload size */

	/* alloc kernel pointer with actual payload size */

	kptr = kzalloc(pyld_sz, GFP_KERNEL);

	kptr = kzalloc(pyld_sz, GFP_KERNEL);

	if (!kptr) {

	if (!kptr) {
@@ -1124,6 +1160,15 @@ static int ipa3_ioctl_add_flt_rule_v2(unsigned long arg) 
		retval = -EFAULT;

		retval = -EFAULT;

		goto free_param_kptr;

		goto free_param_kptr;

	}

	}

	/* add check in case user-space module compromised */

	if (unlikely(((struct ipa_ioc_add_flt_rule_v2 *)param)->num_rules

		!= pre_entry)) {

		IPAERR_RL("current %d pre %d\n",

			((struct ipa_ioc_add_flt_rule_v2 *)param)->

				num_rules, pre_entry);

			retval = -EFAULT;

			goto free_param_kptr;

	}

	/* alloc kernel pointer with actual payload size */

	/* alloc kernel pointer with actual payload size */

	kptr = kzalloc(pyld_sz, GFP_KERNEL);

	kptr = kzalloc(pyld_sz, GFP_KERNEL);

	if (!kptr) {

	if (!kptr) {
@@ -1217,6 +1262,15 @@ static int ipa3_ioctl_add_flt_rule_after_v2(unsigned long arg) 
		retval = -EFAULT;

		retval = -EFAULT;

		goto free_param_kptr;

		goto free_param_kptr;

	}

	}

	/* add check in case user-space module compromised */

	if (unlikely(((struct ipa_ioc_add_flt_rule_after_v2 *)param)->num_rules

		!= pre_entry)) {

		IPAERR_RL("current %d pre %d\n",

			((struct ipa_ioc_add_flt_rule_after_v2 *)param)->

				num_rules, pre_entry);

			retval = -EFAULT;

			goto free_param_kptr;

	}

	/* alloc kernel pointer with actual payload size */

	/* alloc kernel pointer with actual payload size */

	kptr = kzalloc(pyld_sz, GFP_KERNEL);

	kptr = kzalloc(pyld_sz, GFP_KERNEL);

	if (!kptr) {

	if (!kptr) {
@@ -1311,6 +1365,15 @@ static int ipa3_ioctl_mdfy_flt_rule_v2(unsigned long arg) 
		retval = -EFAULT;

		retval = -EFAULT;

		goto free_param_kptr;

		goto free_param_kptr;

	}

	}

	/* add check in case user-space module compromised */

	if (unlikely(((struct ipa_ioc_mdfy_flt_rule_v2 *)param)->num_rules

		!= pre_entry)) {

		IPAERR_RL("current %d pre %d\n",

			((struct ipa_ioc_mdfy_flt_rule_v2 *)param)->

				num_rules, pre_entry);

			retval = -EFAULT;

			goto free_param_kptr;

	}

	/* alloc kernel pointer with actual payload size */

	/* alloc kernel pointer with actual payload size */

	kptr = kzalloc(pyld_sz, GFP_KERNEL);

	kptr = kzalloc(pyld_sz, GFP_KERNEL);

	if (!kptr) {

	if (!kptr) {