Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit f983b5a1 authored by Daniel Perez-Zoghbi's avatar Daniel Perez-Zoghbi
Browse files

qcedev: fix UAF in qcedev_smmu 



External researcher found UAF in qcedev_smmu.c on an error condition in
qcedev_check_and_map_buffer. When an error occurs, we free binfo, but it
is still kept in the registeredbufs list. The fix removes it from the
list before freeing binfo.

Change-Id: I0327e456bd46106b12c36a5a21305407aae428dd
Signed-off-by: default avatarDaniel Perez-Zoghbi <quic_dperezzo@quicinc.com>
parent d8204f4d

drivers/crypto/msm/qcedev_smmu.c

+5 −1
Original line number Diff line number Diff line
@@ -350,8 +350,12 @@ int qcedev_check_and_map_buffer(void *handle, 
	return 0;



unmap:

	if (!found)

	if (!found) {

		qcedev_unmap_buffer(handle, mem_client, binfo);

		mutex_lock(&qce_hndl->registeredbufs.lock);

		list_del(&binfo->list);

		mutex_unlock(&qce_hndl->registeredbufs.lock);

	}



error:

	kfree(binfo);