From 7946d14cb3d21f9a60adc283648cf8b0d6ef6394 Mon Sep 17 00:00:00 2001 From: android-t1 Date: Thu, 4 Aug 2022 18:05:22 +0800 Subject: [PATCH 1/2] [FP4-3860]Integrate security patch CVE_2021_30337 Change-Id: I84cd66fcf1fd7e9ad852c7d05b21c2ee7d6ec1dc --- drivers/char/adsprpc.c | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/drivers/char/adsprpc.c b/drivers/char/adsprpc.c index 007d278fe89d..eb201d9ef601 100644 --- a/drivers/char/adsprpc.c +++ b/drivers/char/adsprpc.c @@ -415,6 +415,7 @@ struct fastrpc_mmap { int uncached; int secure; uintptr_t attr; + bool is_filemap; /*flag to indicate map used in process init*/ }; enum fastrpc_perfkeys { @@ -834,9 +835,10 @@ static int fastrpc_mmap_remove(struct fastrpc_file *fl, uintptr_t va, spin_lock(&me->hlock); hlist_for_each_entry_safe(map, n, &me->maps, hn) { - if (map->raddr == va && + if (map->refs == 1 && map->raddr == va && map->raddr + map->len == va + len && - map->refs == 1) { + /*Remove map if not used in process initialization*/ + !map->is_filemap) { match = map; hlist_del_init(&map->hn); break; @@ -848,9 +850,10 @@ static int fastrpc_mmap_remove(struct fastrpc_file *fl, uintptr_t va, return 0; } hlist_for_each_entry_safe(map, n, &fl->maps, hn) { - if (map->raddr == va && + if (map->refs == 1 && map->raddr == va && map->raddr + map->len == va + len && - map->refs == 1) { + /*Remove map if not used in process initialization*/ + !map->is_filemap) { match = map; hlist_del_init(&map->hn); break; @@ -985,6 +988,7 @@ static int fastrpc_mmap_create(struct fastrpc_file *fl, int fd, map->refs = 1; map->fl = fl; map->fd = fd; + map->is_filemap = false; map->attr = attr; if (mflags == ADSP_MMAP_HEAP_ADDR || mflags == ADSP_MMAP_REMOTE_HEAP_ADDR) { @@ -2587,6 +2591,8 @@ static int fastrpc_init_process(struct fastrpc_file *fl, VERIFY(err, !fastrpc_mmap_create(fl, init->filefd, 0, init->file, init->filelen, mflags, &file)); mutex_unlock(&fl->map_mutex); + if (file) + file->is_filemap = true; if (err) goto bail; } -- GitLab From 93685a13d2ed9110151d0719d925b03100c50554 Mon Sep 17 00:00:00 2001 From: android-t2 Date: Wed, 10 Aug 2022 13:43:45 +0800 Subject: [PATCH 2/2] [FP4-3860]Integrate security patch CVE_2021_35077 Change-Id: I1d0ed72318039d4faf97c8652407b9e9b546c31f --- drivers/char/adsprpc.c | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/drivers/char/adsprpc.c b/drivers/char/adsprpc.c index eb201d9ef601..998067fbdf22 100644 --- a/drivers/char/adsprpc.c +++ b/drivers/char/adsprpc.c @@ -482,6 +482,8 @@ struct fastrpc_file { uint32_t ws_timeout; /* To indicate attempt has been made to allocate memory for debug_buf */ int debug_buf_alloced_attempted; + /* Flag to indicate dynamic process creation status*/ + bool in_process_create; }; static struct fastrpc_apps gfa; @@ -2577,6 +2579,15 @@ static int fastrpc_init_process(struct fastrpc_file *fl, int siglen; } inbuf; + spin_lock(&fl->hlock); + if (fl->in_process_create) { + err = -EALREADY; + pr_err("Already in create init process\n"); + spin_unlock(&fl->hlock); + return err; + } + fl->in_process_create = true; + spin_unlock(&fl->hlock); inbuf.pgid = fl->tgid; inbuf.namelen = strlen(current->comm) + 1; inbuf.filelen = init->filelen; @@ -2786,6 +2797,11 @@ static int fastrpc_init_process(struct fastrpc_file *fl, fastrpc_mmap_free(file, 0); mutex_unlock(&fl->map_mutex); } + if (init->flags == FASTRPC_INIT_CREATE) { + spin_lock(&fl->hlock); + fl->in_process_create = false; + spin_unlock(&fl->hlock); + } return err; } @@ -3690,6 +3706,7 @@ static int fastrpc_file_free(struct fastrpc_file *fl) } spin_lock(&fl->hlock); fl->file_close = 1; + fl->in_process_create = false; spin_unlock(&fl->hlock); if (!IS_ERR_OR_NULL(fl->init_mem)) fastrpc_buf_free(fl->init_mem, 0); @@ -4083,6 +4100,7 @@ static int fastrpc_device_open(struct inode *inode, struct file *filp) fl->cid = -1; fl->dev_minor = dev_minor; fl->init_mem = NULL; + fl->in_process_create = false; memset(&fl->perf, 0, sizeof(fl->perf)); fl->qos_request = 0; fl->dsp_proc_init = 0; -- GitLab