Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 8fb32c3a authored by Sathish Ambley's avatar Sathish Ambley
Browse files

msm: ADSPRPC: Do not access user memory directly 



The buffers being passed in the invocation are copied from user
memory into the context using copy_from_user. Lookup the buffer
pointers from the context where it was copied rather than directly
accessing it from the user memory.

Change-Id: Ief5a840f17f6287ebd48b4ae52facaccb271fab8
Signed-off-by: default avatarSathish Ambley <sathishambley@codeaurora.org>
parent a5eb2c93

drivers/char/adsprpc.c

+7 −6
Original line number Diff line number Diff line
@@ -737,8 +737,7 @@ static int clear_user_outbufs(struct smq_invoke_ctx *ctx) 
	return err;

}



static int get_args(uint32_t kernel, struct smq_invoke_ctx *ctx,

			remote_arg_t *upra)

static int get_args(uint32_t kernel, struct smq_invoke_ctx *ctx)

{

	remote_arg_t *rpra;

	remote_arg_t *lpra = ctx->lpra;
@@ -875,7 +874,7 @@ static int get_args(uint32_t kernel, struct smq_invoke_ctx *ctx, 
	size = sizeof(*rpra) * REMOTE_SCALARS_INHANDLES(sc);

	if (size) {

		inh = inbufs + outbufs;

		K_COPY_FROM_USER(err, kernel, &rpra[inh], &upra[inh], size);

		K_COPY_FROM_USER(err, kernel, &rpra[inh], &lpra[inh], size);

		if (err)

			goto bail;

	}
@@ -896,8 +895,10 @@ static int put_args(uint32_t kernel, struct smq_invoke_ctx *ctx, 
	outbufs = REMOTE_SCALARS_OUTBUFS(sc);

	for (i = inbufs; i < inbufs + outbufs; ++i) {

		if (!ctx->maps[i]) {

			K_COPY_TO_USER(err, kernel, upra[i].buf.pv,

					rpra[i].buf.pv, rpra[i].buf.len);

			K_COPY_TO_USER(err, kernel,

				ctx->lpra[i].buf.pv,

				rpra[i].buf.pv,

				rpra[i].buf.len);

			if (err)

				goto bail;

		} else {
@@ -1056,7 +1057,7 @@ static int fastrpc_internal_invoke(struct fastrpc_file *fl, uint32_t mode, 
		goto bail;



	if (REMOTE_SCALARS_LENGTH(ctx->sc)) {

		VERIFY(err, 0 == get_args(kernel, ctx, invoke->pra));

		VERIFY(err, 0 == get_args(kernel, ctx));

		if (err)

			goto bail;

	}

drivers/char/adsprpc_compat.c

+8 −9
Original line number Diff line number Diff line 
/*

 * Copyright (c) 2014 The Linux Foundation. All rights reserved.

 * Copyright (c) 2014-2015, The Linux Foundation. All rights reserved.

 *

 * This program is free software; you can redistribute it and/or modify

 * it under the terms of the GNU General Public License version 2 and
@@ -98,8 +98,9 @@ static int compat_get_fastrpc_ioctl_invoke( 
	if (err)

		return -EFAULT;



	inv->inv.pra = (union remote_arg *)(inv + 1);

	err = put_user(sc, &inv->inv.sc);

	pra = (union remote_arg *)(inv + 1);

	err = put_user(pra, &inv->inv.pra);

	err |= put_user(sc, &inv->inv.sc);

	err |= get_user(u, &inv32->inv.handle);

	err |= put_user(u, &inv->inv.handle);

	err |= get_user(p, &inv32->inv.pra);
@@ -107,12 +108,11 @@ static int compat_get_fastrpc_ioctl_invoke( 
		return err;



	pra32 = compat_ptr(p);

	pra = inv->inv.pra;

	pra = (union remote_arg *)(inv + 1);

	num = REMOTE_SCALARS_INBUFS(sc) + REMOTE_SCALARS_OUTBUFS(sc);

	for (j = 0; j < num; j++) {

		err |= get_user(p, &pra32[j].buf.pv);

		pra[j].buf.pv = NULL;

		err |= put_user(p, (compat_uptr_t *)&pra[j].buf.pv);

		err |= put_user(p, (uintptr_t *)&pra[j].buf.pv);

		err |= get_user(s, &pra32[j].buf.len);

		err |= put_user(s, &pra[j].buf.len);

	}
@@ -121,7 +121,7 @@ static int compat_get_fastrpc_ioctl_invoke( 
		err |= put_user(u, &pra[num + j].h);

	}



	inv->fds = NULL;

	err |= put_user(NULL, &inv->fds);

	if (cmd == COMPAT_FASTRPC_IOCTL_INVOKE_FD) {

		err |= get_user(p, &inv32->fds);

		err |= put_user(p, (compat_uptr_t *)&inv->fds);
@@ -173,8 +173,7 @@ static int compat_get_fastrpc_ioctl_mmap( 
	err |= get_user(u, &map32->flags);

	err |= put_user(u, &map->flags);

	err |= get_user(p, &map32->vaddrin);

	map->vaddrin = NULL;

	err |= put_user(p, (compat_uptr_t *)&map->vaddrin);

	err |= put_user(p, (uintptr_t *)&map->vaddrin);

	err |= get_user(s, &map32->size);

	err |= put_user(s, &map->size);