Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit eec9f0cf authored by prabha's avatar prabha
Browse files

msm: adsprpc: Handle UAF in process shell memory 



Added flag to indicate memory used
in process initialization. And, this memory
would not removed in internal unmap to avoid
UAF or double free.

Change-Id: Ie470fe58ac334421d186feb41fa67bd24bb5efea
Signed-off-by: default avatarprabha <prabha@codeaurora.org>
parent cb021827

drivers/char/adsprpc.c

+12 −4
Original line number Diff line number Diff line
@@ -573,6 +573,7 @@ struct fastrpc_mmap { 
	bool in_use;			/* Indicates if persistent map is in use*/

	struct timespec64 map_start_time;

	struct timespec64 map_end_time;

	bool is_filemap; /*flag to indicate map used in process init*/

};



enum fastrpc_perfkeys {
@@ -1199,9 +1200,10 @@ static int fastrpc_mmap_remove(struct fastrpc_file *fl, int fd, uintptr_t va, 


	spin_lock(&me->hlock);

	hlist_for_each_entry_safe(map, n, &me->maps, hn) {

		if ((fd < 0 || map->fd == fd) && map->raddr == va &&

		if (map->refs == 1 && map->raddr == va &&

			map->raddr + map->len == va + len &&

			map->refs == 1 && !map->is_persistent) {

			/*Remove map if not used in process initialization*/

			!map->is_filemap) {

			match = map;

			hlist_del_init(&map->hn);

			break;
@@ -1213,9 +1215,10 @@ static int fastrpc_mmap_remove(struct fastrpc_file *fl, int fd, uintptr_t va, 
		return 0;

	}

	hlist_for_each_entry_safe(map, n, &fl->maps, hn) {

		if ((fd < 0 || map->fd == fd) && map->raddr == va &&

		if (map->refs == 1 && map->raddr == va &&

			map->raddr + map->len == va + len &&

			map->refs == 1) {

			/*Remove map if not used in process initialization*/

			!map->is_filemap) {

			match = map;

			hlist_del_init(&map->hn);

			break;
@@ -1399,6 +1402,7 @@ static int fastrpc_mmap_create(struct fastrpc_file *fl, int fd, 
	map->fd = fd;

	map->attr = attr;

	map->frpc_md_index = -1;

	map->is_filemap = false;

	ktime_get_real_ts64(&map->map_start_time);

	if (mflags == ADSP_MMAP_HEAP_ADDR ||

				mflags == ADSP_MMAP_REMOTE_HEAP_ADDR) {
@@ -3683,6 +3687,8 @@ static int fastrpc_init_create_dynamic_process(struct fastrpc_file *fl, 
		mutex_lock(&fl->map_mutex);

		err = fastrpc_mmap_create(fl, init->filefd, 0,

			init->file, init->filelen, mflags, &file);

		if (file)

			file->is_filemap = true;

		mutex_unlock(&fl->map_mutex);

		if (err)

			goto bail;
@@ -3904,6 +3910,8 @@ static int fastrpc_init_create_static_process(struct fastrpc_file *fl, 
			mutex_lock(&fl->map_mutex);

			err = fastrpc_mmap_create(fl, -1, 0, init->mem,

				 init->memlen, ADSP_MMAP_REMOTE_HEAP_ADDR, &mem);

			if (mem)

				mem->is_filemap = true;

			mutex_unlock(&fl->map_mutex);

			if (err)

				goto bail;