Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 1caea9c0 authored by Skylar Chang's avatar Skylar Chang
Browse files

msm: ipa: handle information leak on ADD_FLT_RULE_INDEX ioctl 



IPA might have Information leak and device crash due to
kernel heap overread in IPA driver when processing
WAN_IOC_ADD_FLT_RULE_INDEX ioctl. The fix is to add
check on max number of filter rules send to modem.

Change-Id: I454e04d05cfcb7af8fc4bd2b4a1bade55c4684d0
Signed-off-by: default avatarSkylar Chang <chiaweic@codeaurora.org>
parent 22194df2

drivers/platform/msm/ipa/ipa_v2/ipa_qmi_service.c

+7 −2
Original line number Diff line number Diff line
@@ -160,7 +160,7 @@ static int handle_install_filter_rule_req(void *req_h, void *req) 
			resp.filter_handle_list_len = MAX_NUM_Q6_RULE;

			IPAWANERR("installed (%d) max Q6-UL rules ",

			MAX_NUM_Q6_RULE);

			IPAWANERR("but modem gives total (%d)\n",

			IPAWANERR("but modem gives total (%u)\n",

			rule_req->filter_spec_list_len);

		} else {

			resp.filter_handle_list_len =
@@ -513,7 +513,7 @@ int qmi_filter_request_send(struct ipa_install_fltr_rule_req_msg_v01 *req) 
	if (req->filter_spec_list_len == 0) {

		IPAWANDBG("IPACM pass zero rules to Q6\n");

	} else {

		IPAWANDBG("IPACM pass %d rules to Q6\n",

		IPAWANDBG("IPACM pass %u rules to Q6\n",

		req->filter_spec_list_len);

	}
@@ -649,6 +649,11 @@ int qmi_filter_notify_send(struct ipa_fltr_installed_notif_req_msg_v01 *req) 
		IPAWANERR(" delete UL filter rule for pipe %d\n",

		req->source_pipe_index);

		return -EINVAL;

	} else if (req->filter_index_list_len > QMI_IPA_MAX_FILTERS_V01) {

		IPAWANERR(" UL filter rule for pipe %d exceed max (%u)\n",

		req->source_pipe_index,

		req->filter_index_list_len);

		return -EINVAL;

	} else if (req->filter_index_list[0].filter_index == 0 &&

		req->source_pipe_index !=

		ipa2_get_ep_mapping(IPA_CLIENT_APPS_LAN_WAN_PROD)) {

drivers/platform/msm/ipa/ipa_v3/ipa_qmi_service.c

+7 −2
Original line number Diff line number Diff line
@@ -170,7 +170,7 @@ static int ipa3_handle_install_filter_rule_req(void *req_h, void *req) 
			resp.rule_id_len = MAX_NUM_Q6_RULE;

			IPAWANERR("installed (%d) max Q6-UL rules ",

			MAX_NUM_Q6_RULE);

			IPAWANERR("but modem gives total (%d)\n",

			IPAWANERR("but modem gives total (%u)\n",

			rule_req->filter_spec_ex_list_len);

		} else {

			resp.rule_id_len =
@@ -593,7 +593,7 @@ int ipa3_qmi_filter_request_send(struct ipa_install_fltr_rule_req_msg_v01 *req) 
	if (req->filter_spec_ex_list_len == 0) {

		IPAWANDBG("IPACM pass zero rules to Q6\n");

	} else {

		IPAWANDBG("IPACM pass %d rules to Q6\n",

		IPAWANDBG("IPACM pass %u rules to Q6\n",

		req->filter_spec_ex_list_len);

	}
@@ -726,6 +726,11 @@ int ipa3_qmi_filter_notify_send( 
		IPAWANERR(" delete UL filter rule for pipe %d\n",

		req->source_pipe_index);

		return -EINVAL;

	} else if (req->filter_index_list_len > QMI_IPA_MAX_FILTERS_V01) {

		IPAWANERR(" UL filter rule for pipe %d exceed max (%u)\n",

		req->source_pipe_index,

		req->filter_index_list_len);

		return -EINVAL;

	}



	/* cache the qmi_filter_request */