Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit c3219d4f authored by rnamala's avatar rnamala Committed by Gerrit - the friendly Code Review server
Browse files

msm: adsprpc: Prevent use after free in fastrpc_invoke_send 



In some async scenarios, the message context might be freed
by the async response thread before the user thread
updates the txmsg buffer. This leads to a use after free scenario.
Prevent this from happening by copying message to a temporary
variable and using this temporary variable.

Change-Id: I181eb5c6e1a6bdc2437f974d5f514d8fdfefcc9f
Acked-by: default avatarRanjith Goud Namala <rnamala@qti.qualcomm.com>
Signed-off-by: default avatarrnamala <quic_rnamala@quicinc.com>
parent 00ad633e

drivers/char/adsprpc.c

+13 −0
Original line number Diff line number Diff line
@@ -2955,11 +2955,13 @@ static int fastrpc_invoke_send(struct smq_invoke_ctx *ctx, 
			       uint32_t kernel, uint32_t handle)

{

	struct smq_msg *msg = &ctx->msg;

	struct smq_msg msg_temp;

	struct fastrpc_file *fl = ctx->fl;

	struct fastrpc_channel_ctx *channel_ctx = NULL;

	int err = 0, cid = -1;

	uint32_t sc = ctx->sc;

	int64_t ns = 0;

	int isasync = (ctx->asyncjob.isasyncjob ? true : false);



	if (!fl) {

		err = -EBADF;
@@ -3000,6 +3002,17 @@ static int fastrpc_invoke_send(struct smq_invoke_ctx *ctx, 
		mutex_unlock(&channel_ctx->rpmsg_mutex);

		goto bail;

	}



	if (isasync) {

		/*

		 * After message is sent to DSP, async response thread could immediately

		 * get the response and free context, which will result in a use-after-free

		 * in this function. So use a local variable for message.

		 */

		memcpy(&msg_temp, msg, sizeof(struct smq_msg));

		msg = &msg_temp;

	}



	err = rpmsg_send(channel_ctx->rpdev->ept, (void *)msg, sizeof(*msg));

	mutex_unlock(&channel_ctx->rpmsg_mutex);

	trace_fastrpc_rpmsg_send(cid, (uint64_t)ctx, msg->invoke.header.ctx,