Unverified Commit 5d4b707b authored Dec 17, 2024 by Abhinav Parihar Committed by Michael Bestas Apr 08, 2025

BACKPORT: dsp-kernel: Add attribute and flag checks during map creation



A persistence map is expected to hold refs=2 during its creation.
However, the Fuzzy test can create a persistence map by configuring
a mismatch between attributes and flags using the KEEP MAP attribute
and FD NOMAP flags. This sets the map reference count to 1. The user
then calls fastrpc_internal_munmap_fd to free the map since it
doesn't check flags, which can cause a use-after-free (UAF) for the
file map and shared buffer. Add a check to restrict DMA handle
maps with invalid attributes.

Change-Id: I2f024ef99cc2a0487010504166e3af3433d5302d
Acked-by: Santosh <quic_ssakore@quicinc.com>
Signed-off-by: Abhinav Parihar <quic_parihar@quicinc.com>

parent 8736793a

drivers/char/adsprpc.c

+6 −0

Original line number	Original line	Diff line number	Diff line
	@@ -1026,6 +1026,12 @@ static int fastrpc_mmap_create(struct fastrpc_file *fl, int fd,
	map->size = len;		map->size = len;
	map->va = (uintptr_t)region_vaddr;		map->va = (uintptr_t)region_vaddr;
	} else if (mflags == FASTRPC_DMAHANDLE_NOMAP) {		} else if (mflags == FASTRPC_DMAHANDLE_NOMAP) {
			if (map->attr & FASTRPC_ATTR_KEEP_MAP) {
			pr_err("adsprpc: %s: Invalid attribute 0x%x for fd %d\n",
			__func__, map->attr, fd);
			err = -EINVAL;
			goto bail;
			}
	VERIFY(err, !IS_ERR_OR_NULL(map->buf = dma_buf_get(fd)));		VERIFY(err, !IS_ERR_OR_NULL(map->buf = dma_buf_get(fd)));
	if (err)		if (err)
	goto bail;		goto bail;