Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 45c3e706 authored by Armaan Siddiqui's avatar Armaan Siddiqui
Browse files

msm: ipa3: Fix to copy num of rules from user space 



Changes done to copy num of rules from user space to
kernel side as earlier only payload was being copied.
And it is needed to check if user space payload is
not modified in between.

Change-Id: I14e15fe0c6746226cc44d224d33c00e809cd69ca
Signed-off-by: default avatarArmaan Siddiqui <asiddiqu@codeaurora.org>
parent 44a13331

drivers/platform/msm/ipa/ipa_v3/ipa.c

+93 −14
Original line number Diff line number Diff line
@@ -708,6 +708,7 @@ static int ipa3_ioctl_add_rt_rule_v2(unsigned long arg) 
	u32 pyld_sz;

	u64 uptr = 0;

	u8 *param = NULL;

	u8 *param2 = NULL;

	u8 *kptr = NULL;



	if (copy_from_user(header, (const void __user *)arg,
@@ -746,11 +747,20 @@ static int ipa3_ioctl_add_rt_rule_v2(unsigned long arg) 
		retval = -EFAULT;

		goto free_param_kptr;

	}



	param2 = memdup_user((const void __user *)arg,

		sizeof(struct ipa_ioc_add_rt_rule_v2));

	if (IS_ERR(param2)) {

		retval = -EFAULT;

		goto free_param_kptr;

	}





	/* add check in case user-space module compromised */

	if (unlikely(((struct ipa_ioc_add_rt_rule_v2 *)param)->num_rules

	if (unlikely(((struct ipa_ioc_add_rt_rule_v2 *)param2)->num_rules

		!= pre_entry)) {

		IPAERR_RL("current %d pre %d\n",

			((struct ipa_ioc_add_rt_rule_v2 *)param)->

			((struct ipa_ioc_add_rt_rule_v2 *)param2)->

				num_rules, pre_entry);

			retval = -EFAULT;

			goto free_param_kptr;
@@ -794,6 +804,8 @@ static int ipa3_ioctl_add_rt_rule_v2(unsigned long arg) 
free_param_kptr:

	if (!IS_ERR(param))

		kfree(param);

	if (!IS_ERR(param2))

		kfree(param2);

	kfree(kptr);



	return retval;
@@ -809,6 +821,7 @@ static int ipa3_ioctl_add_rt_rule_ext_v2(unsigned long arg) 
	u32 pyld_sz;

	u64 uptr = 0;

	u8 *param = NULL;

	u8 *param2 = NULL;

	u8 *kptr = NULL;



	if (copy_from_user(header,
@@ -850,11 +863,20 @@ static int ipa3_ioctl_add_rt_rule_ext_v2(unsigned long arg) 
		retval = -EFAULT;

		goto free_param_kptr;

	}



	param2 = memdup_user((const void __user *)arg,

		sizeof(struct ipa_ioc_add_rt_rule_ext_v2));

	if (IS_ERR(param2)) {

		retval = -EFAULT;

		goto free_param_kptr;

	}





	/* add check in case user-space module compromised */

	if (unlikely(((struct ipa_ioc_add_rt_rule_ext_v2 *)param)->num_rules

	if (unlikely(((struct ipa_ioc_add_rt_rule_ext_v2 *)param2)->num_rules

		!= pre_entry)) {

		IPAERR_RL("current %d pre %d\n",

			((struct ipa_ioc_add_rt_rule_ext_v2 *)param)->

			((struct ipa_ioc_add_rt_rule_ext_v2 *)param2)->

				num_rules, pre_entry);

			retval = -EFAULT;

			goto free_param_kptr;
@@ -900,6 +922,8 @@ static int ipa3_ioctl_add_rt_rule_ext_v2(unsigned long arg) 
free_param_kptr:

	if (!IS_ERR(param))

		kfree(param);

	if (!IS_ERR(param2))

		kfree(param2);

	kfree(kptr);



	return retval;
@@ -915,6 +939,7 @@ static int ipa3_ioctl_add_rt_rule_after_v2(unsigned long arg) 
	u32 pyld_sz;

	u64 uptr = 0;

	u8 *param = NULL;

	u8 *param2 = NULL;

	u8 *kptr = NULL;



	if (copy_from_user(header, (const void __user *)arg,
@@ -955,11 +980,19 @@ static int ipa3_ioctl_add_rt_rule_after_v2(unsigned long arg) 
		retval = -EFAULT;

		goto free_param_kptr;

	}



	param2 = memdup_user((const void __user *)arg,

		sizeof(struct ipa_ioc_add_rt_rule_after_v2));

	if (IS_ERR(param2)) {

		retval = -EFAULT;

		goto free_param_kptr;

	}



	/* add check in case user-space module compromised */

	if (unlikely(((struct ipa_ioc_add_rt_rule_after_v2 *)param)->num_rules

	if (unlikely(((struct ipa_ioc_add_rt_rule_after_v2 *)param2)->num_rules

		!= pre_entry)) {

		IPAERR_RL("current %d pre %d\n",

			((struct ipa_ioc_add_rt_rule_after_v2 *)param)->

			((struct ipa_ioc_add_rt_rule_after_v2 *)param2)->

				num_rules, pre_entry);

			retval = -EFAULT;

			goto free_param_kptr;
@@ -1003,6 +1036,8 @@ static int ipa3_ioctl_add_rt_rule_after_v2(unsigned long arg) 
free_param_kptr:

	if (!IS_ERR(param))

		kfree(param);

	if (!IS_ERR(param2))

		kfree(param2);

	kfree(kptr);



	return retval;
@@ -1018,6 +1053,7 @@ static int ipa3_ioctl_mdfy_rt_rule_v2(unsigned long arg) 
	u32 pyld_sz;

	u64 uptr = 0;

	u8 *param = NULL;

	u8 *param2 = NULL;

	u8 *kptr = NULL;



	if (copy_from_user(header, (const void __user *)arg,
@@ -1058,11 +1094,19 @@ static int ipa3_ioctl_mdfy_rt_rule_v2(unsigned long arg) 
		retval = -EFAULT;

		goto free_param_kptr;

	}



	param2 = memdup_user((const void __user *)arg,

		sizeof(struct ipa_ioc_mdfy_rt_rule_v2));

	if (IS_ERR(param2)) {

		retval = -EFAULT;

		goto free_param_kptr;

	}



	/* add check in case user-space module compromised */

	if (unlikely(((struct ipa_ioc_mdfy_rt_rule_v2 *)param)->num_rules

	if (unlikely(((struct ipa_ioc_mdfy_rt_rule_v2 *)param2)->num_rules

		!= pre_entry)) {

		IPAERR_RL("current %d pre %d\n",

			((struct ipa_ioc_mdfy_rt_rule_v2 *)param)->

			((struct ipa_ioc_mdfy_rt_rule_v2 *)param2)->

				num_rules, pre_entry);

			retval = -EFAULT;

			goto free_param_kptr;
@@ -1106,6 +1150,8 @@ static int ipa3_ioctl_mdfy_rt_rule_v2(unsigned long arg) 
free_param_kptr:

	if (!IS_ERR(param))

		kfree(param);

	if (!IS_ERR(param2))

		kfree(param2);

	kfree(kptr);



	return retval;
@@ -1121,6 +1167,7 @@ static int ipa3_ioctl_add_flt_rule_v2(unsigned long arg) 
	u32 pyld_sz;

	u64 uptr = 0;

	u8 *param = NULL;

	u8 *param2 = NULL;

	u8 *kptr = NULL;



	if (copy_from_user(header, (const void __user *)arg,
@@ -1160,11 +1207,19 @@ static int ipa3_ioctl_add_flt_rule_v2(unsigned long arg) 
		retval = -EFAULT;

		goto free_param_kptr;

	}



	param2 = memdup_user((const void __user *)arg,

		sizeof(struct ipa_ioc_add_flt_rule_v2));

	if (IS_ERR(param2)) {

		retval = -EFAULT;

		goto free_param_kptr;

	}



	/* add check in case user-space module compromised */

	if (unlikely(((struct ipa_ioc_add_flt_rule_v2 *)param)->num_rules

	if (unlikely(((struct ipa_ioc_add_flt_rule_v2 *)param2)->num_rules

		!= pre_entry)) {

		IPAERR_RL("current %d pre %d\n",

			((struct ipa_ioc_add_flt_rule_v2 *)param)->

			((struct ipa_ioc_add_flt_rule_v2 *)param2)->

				num_rules, pre_entry);

			retval = -EFAULT;

			goto free_param_kptr;
@@ -1207,6 +1262,8 @@ static int ipa3_ioctl_add_flt_rule_v2(unsigned long arg) 
free_param_kptr:

	if (!IS_ERR(param))

		kfree(param);

	if (!IS_ERR(param2))

		kfree(param2);

	kfree(kptr);



	return retval;
@@ -1222,6 +1279,7 @@ static int ipa3_ioctl_add_flt_rule_after_v2(unsigned long arg) 
	u32 pyld_sz;

	u64 uptr = 0;

	u8 *param = NULL;

	u8 *param2 = NULL;

	u8 *kptr = NULL;



	if (copy_from_user(header, (const void __user *)arg,
@@ -1262,11 +1320,19 @@ static int ipa3_ioctl_add_flt_rule_after_v2(unsigned long arg) 
		retval = -EFAULT;

		goto free_param_kptr;

	}



	param2 = memdup_user((const void __user *)arg,

		sizeof(struct ipa_ioc_add_flt_rule_after_v2));

	if (IS_ERR(param2)) {

		retval = -EFAULT;

		goto free_param_kptr;

	}



	/* add check in case user-space module compromised */

	if (unlikely(((struct ipa_ioc_add_flt_rule_after_v2 *)param)->num_rules

	if (unlikely(((struct ipa_ioc_add_flt_rule_after_v2 *)param2)->num_rules

		!= pre_entry)) {

		IPAERR_RL("current %d pre %d\n",

			((struct ipa_ioc_add_flt_rule_after_v2 *)param)->

			((struct ipa_ioc_add_flt_rule_after_v2 *)param2)->

				num_rules, pre_entry);

			retval = -EFAULT;

			goto free_param_kptr;
@@ -1310,6 +1376,8 @@ static int ipa3_ioctl_add_flt_rule_after_v2(unsigned long arg) 
free_param_kptr:

	if (!IS_ERR(param))

		kfree(param);

	if (!IS_ERR(param2))

		kfree(param2);

	kfree(kptr);



	return retval;
@@ -1325,6 +1393,7 @@ static int ipa3_ioctl_mdfy_flt_rule_v2(unsigned long arg) 
	u32 pyld_sz;

	u64 uptr = 0;

	u8 *param = NULL;

	u8 *param2 = NULL;

	u8 *kptr = NULL;



	if (copy_from_user(header, (const void __user *)arg,
@@ -1365,11 +1434,19 @@ static int ipa3_ioctl_mdfy_flt_rule_v2(unsigned long arg) 
		retval = -EFAULT;

		goto free_param_kptr;

	}



	param2 = memdup_user((const void __user *)arg,

		sizeof(struct ipa_ioc_mdfy_flt_rule_v2));

	if (IS_ERR(param2)) {

		retval = -EFAULT;

		goto free_param_kptr;

	}



	/* add check in case user-space module compromised */

	if (unlikely(((struct ipa_ioc_mdfy_flt_rule_v2 *)param)->num_rules

	if (unlikely(((struct ipa_ioc_mdfy_flt_rule_v2 *)param2)->num_rules

		!= pre_entry)) {

		IPAERR_RL("current %d pre %d\n",

			((struct ipa_ioc_mdfy_flt_rule_v2 *)param)->

			((struct ipa_ioc_mdfy_flt_rule_v2 *)param2)->

				num_rules, pre_entry);

			retval = -EFAULT;

			goto free_param_kptr;
@@ -1413,6 +1490,8 @@ static int ipa3_ioctl_mdfy_flt_rule_v2(unsigned long arg) 
free_param_kptr:

	if (!IS_ERR(param))

		kfree(param);

	if (!IS_ERR(param2))

		kfree(param2);

	kfree(kptr);



	return retval;