Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit b518b33d authored by Skylar Chang's avatar Skylar Chang
Browse files

msm: ipa: fix potential race condition ioctls 



There are potential race condition ioctls in
the IPA driver when it copies the actual
arguments from the user-space memory to the
IPA-driver. The fix is to add check on the 2nd
copy to make sure the same payload size is copied
to the pre-allocated kernel memory as in during
the 1st copy.

Change-Id: I5a440f89153518507acdf5dad42625503732e59a
Signed-off-by: default avatarSkylar Chang <chiaweic@codeaurora.org>
parent 22194df2

drivers/platform/msm/ipa/ipa_v2/ipa.c

+192 −34
Original line number Diff line number Diff line
@@ -575,6 +575,7 @@ static long ipa_ioctl(struct file *filp, unsigned int cmd, unsigned long arg) 
	struct ipa_ioc_v4_nat_del nat_del;

	struct ipa_ioc_rm_dependency rm_depend;

	size_t sz;

	int pre_entry;



	IPADBG("cmd=%x nr=%d\n", cmd, _IOC_NR(cmd));
@@ -623,11 +624,11 @@ static long ipa_ioctl(struct file *filp, unsigned int cmd, unsigned long arg) 
			retval = -EFAULT;

			break;

		}



		pre_entry =

			((struct ipa_ioc_nat_dma_cmd *)header)->entries;

		pyld_sz =

		   sizeof(struct ipa_ioc_nat_dma_cmd) +

		   ((struct ipa_ioc_nat_dma_cmd *)header)->entries *

		   sizeof(struct ipa_ioc_nat_dma_one);

		   pre_entry * sizeof(struct ipa_ioc_nat_dma_one);

		param = kzalloc(pyld_sz, GFP_KERNEL);

		if (!param) {

			retval = -ENOMEM;
@@ -638,7 +639,15 @@ static long ipa_ioctl(struct file *filp, unsigned int cmd, unsigned long arg) 
			retval = -EFAULT;

			break;

		}



		/* add check in case user-space module compromised */

		if (unlikely(((struct ipa_ioc_nat_dma_cmd *)param)->entries

			!= pre_entry)) {

			IPAERR(" prevent memory corruption(%d not match %d)\n",

				((struct ipa_ioc_nat_dma_cmd *)param)->entries,

				pre_entry);

			retval = -EINVAL;

			break;

		}

		if (ipa2_nat_dma_cmd((struct ipa_ioc_nat_dma_cmd *)param)) {

			retval = -EFAULT;

			break;
@@ -663,10 +672,11 @@ static long ipa_ioctl(struct file *filp, unsigned int cmd, unsigned long arg) 
			retval = -EFAULT;

			break;

		}

		pre_entry =

			((struct ipa_ioc_add_hdr *)header)->num_hdrs;

		pyld_sz =

		   sizeof(struct ipa_ioc_add_hdr) +

		   ((struct ipa_ioc_add_hdr *)header)->num_hdrs *

		   sizeof(struct ipa_hdr_add);

		   pre_entry * sizeof(struct ipa_hdr_add);

		param = kzalloc(pyld_sz, GFP_KERNEL);

		if (!param) {

			retval = -ENOMEM;
@@ -676,6 +686,15 @@ static long ipa_ioctl(struct file *filp, unsigned int cmd, unsigned long arg) 
			retval = -EFAULT;

			break;

		}

		/* add check in case user-space module compromised */

		if (unlikely(((struct ipa_ioc_add_hdr *)param)->num_hdrs

			!= pre_entry)) {

			IPAERR(" prevent memory corruption(%d not match %d)\n",

				((struct ipa_ioc_add_hdr *)param)->num_hdrs,

				pre_entry);

			retval = -EINVAL;

			break;

		}

		if (ipa2_add_hdr((struct ipa_ioc_add_hdr *)param)) {

			retval = -EFAULT;

			break;
@@ -692,10 +711,11 @@ static long ipa_ioctl(struct file *filp, unsigned int cmd, unsigned long arg) 
			retval = -EFAULT;

			break;

		}

		pre_entry =

			((struct ipa_ioc_del_hdr *)header)->num_hdls;

		pyld_sz =

		   sizeof(struct ipa_ioc_del_hdr) +

		   ((struct ipa_ioc_del_hdr *)header)->num_hdls *

		   sizeof(struct ipa_hdr_del);

		   pre_entry * sizeof(struct ipa_hdr_del);

		param = kzalloc(pyld_sz, GFP_KERNEL);

		if (!param) {

			retval = -ENOMEM;
@@ -705,6 +725,15 @@ static long ipa_ioctl(struct file *filp, unsigned int cmd, unsigned long arg) 
			retval = -EFAULT;

			break;

		}

		/* add check in case user-space module compromised */

		if (unlikely(((struct ipa_ioc_del_hdr *)param)->num_hdls

			!= pre_entry)) {

			IPAERR(" prevent memory corruption(%d not match %d)\n",

				((struct ipa_ioc_del_hdr *)param)->num_hdls,

				pre_entry);

			retval = -EINVAL;

			break;

		}

		if (ipa2_del_hdr((struct ipa_ioc_del_hdr *)param)) {

			retval = -EFAULT;

			break;
@@ -721,10 +750,11 @@ static long ipa_ioctl(struct file *filp, unsigned int cmd, unsigned long arg) 
			retval = -EFAULT;

			break;

		}

		pre_entry =

			((struct ipa_ioc_add_rt_rule *)header)->num_rules;

		pyld_sz =

		   sizeof(struct ipa_ioc_add_rt_rule) +

		   ((struct ipa_ioc_add_rt_rule *)header)->num_rules *

		   sizeof(struct ipa_rt_rule_add);

		   pre_entry * sizeof(struct ipa_rt_rule_add);

		param = kzalloc(pyld_sz, GFP_KERNEL);

		if (!param) {

			retval = -ENOMEM;
@@ -734,6 +764,16 @@ static long ipa_ioctl(struct file *filp, unsigned int cmd, unsigned long arg) 
			retval = -EFAULT;

			break;

		}

		/* add check in case user-space module compromised */

		if (unlikely(((struct ipa_ioc_add_rt_rule *)param)->num_rules

			!= pre_entry)) {

			IPAERR(" prevent memory corruption(%d not match %d)\n",

				((struct ipa_ioc_add_rt_rule *)param)->

				num_rules,

				pre_entry);

			retval = -EINVAL;

			break;

		}

		if (ipa2_add_rt_rule((struct ipa_ioc_add_rt_rule *)param)) {

			retval = -EFAULT;

			break;
@@ -750,10 +790,11 @@ static long ipa_ioctl(struct file *filp, unsigned int cmd, unsigned long arg) 
			retval = -EFAULT;

			break;

		}

		pre_entry =

			((struct ipa_ioc_mdfy_rt_rule *)header)->num_rules;

		pyld_sz =

		   sizeof(struct ipa_ioc_mdfy_rt_rule) +

		   ((struct ipa_ioc_mdfy_rt_rule *)header)->num_rules *

		   sizeof(struct ipa_rt_rule_mdfy);

		   pre_entry * sizeof(struct ipa_rt_rule_mdfy);

		param = kzalloc(pyld_sz, GFP_KERNEL);

		if (!param) {

			retval = -ENOMEM;
@@ -763,6 +804,16 @@ static long ipa_ioctl(struct file *filp, unsigned int cmd, unsigned long arg) 
			retval = -EFAULT;

			break;

		}

		/* add check in case user-space module compromised */

		if (unlikely(((struct ipa_ioc_mdfy_rt_rule *)param)->num_rules

			!= pre_entry)) {

			IPAERR(" prevent memory corruption(%d not match %d)\n",

				((struct ipa_ioc_mdfy_rt_rule *)param)->

				num_rules,

				pre_entry);

			retval = -EINVAL;

			break;

		}

		if (ipa2_mdfy_rt_rule((struct ipa_ioc_mdfy_rt_rule *)param)) {

			retval = -EFAULT;

			break;
@@ -779,10 +830,11 @@ static long ipa_ioctl(struct file *filp, unsigned int cmd, unsigned long arg) 
			retval = -EFAULT;

			break;

		}

		pre_entry =

			((struct ipa_ioc_del_rt_rule *)header)->num_hdls;

		pyld_sz =

		   sizeof(struct ipa_ioc_del_rt_rule) +

		   ((struct ipa_ioc_del_rt_rule *)header)->num_hdls *

		   sizeof(struct ipa_rt_rule_del);

		   pre_entry * sizeof(struct ipa_rt_rule_del);

		param = kzalloc(pyld_sz, GFP_KERNEL);

		if (!param) {

			retval = -ENOMEM;
@@ -792,6 +844,15 @@ static long ipa_ioctl(struct file *filp, unsigned int cmd, unsigned long arg) 
			retval = -EFAULT;

			break;

		}

		/* add check in case user-space module compromised */

		if (unlikely(((struct ipa_ioc_del_rt_rule *)param)->num_hdls

			!= pre_entry)) {

			IPAERR(" prevent memory corruption(%d not match %d)\n",

				((struct ipa_ioc_del_rt_rule *)param)->num_hdls,

				pre_entry);

			retval = -EINVAL;

			break;

		}

		if (ipa2_del_rt_rule((struct ipa_ioc_del_rt_rule *)param)) {

			retval = -EFAULT;

			break;
@@ -808,10 +869,11 @@ static long ipa_ioctl(struct file *filp, unsigned int cmd, unsigned long arg) 
			retval = -EFAULT;

			break;

		}

		pre_entry =

			((struct ipa_ioc_add_flt_rule *)header)->num_rules;

		pyld_sz =

		   sizeof(struct ipa_ioc_add_flt_rule) +

		   ((struct ipa_ioc_add_flt_rule *)header)->num_rules *

		   sizeof(struct ipa_flt_rule_add);

		   pre_entry * sizeof(struct ipa_flt_rule_add);

		param = kzalloc(pyld_sz, GFP_KERNEL);

		if (!param) {

			retval = -ENOMEM;
@@ -821,6 +883,16 @@ static long ipa_ioctl(struct file *filp, unsigned int cmd, unsigned long arg) 
			retval = -EFAULT;

			break;

		}

		/* add check in case user-space module compromised */

		if (unlikely(((struct ipa_ioc_add_flt_rule *)param)->num_rules

			!= pre_entry)) {

			IPAERR(" prevent memory corruption(%d not match %d)\n",

				((struct ipa_ioc_add_flt_rule *)param)->

				num_rules,

				pre_entry);

			retval = -EINVAL;

			break;

		}

		if (ipa2_add_flt_rule((struct ipa_ioc_add_flt_rule *)param)) {

			retval = -EFAULT;

			break;
@@ -837,10 +909,11 @@ static long ipa_ioctl(struct file *filp, unsigned int cmd, unsigned long arg) 
			retval = -EFAULT;

			break;

		}

		pre_entry =

			((struct ipa_ioc_del_flt_rule *)header)->num_hdls;

		pyld_sz =

		   sizeof(struct ipa_ioc_del_flt_rule) +

		   ((struct ipa_ioc_del_flt_rule *)header)->num_hdls *

		   sizeof(struct ipa_flt_rule_del);

		   pre_entry * sizeof(struct ipa_flt_rule_del);

		param = kzalloc(pyld_sz, GFP_KERNEL);

		if (!param) {

			retval = -ENOMEM;
@@ -850,6 +923,16 @@ static long ipa_ioctl(struct file *filp, unsigned int cmd, unsigned long arg) 
			retval = -EFAULT;

			break;

		}

		/* add check in case user-space module compromised */

		if (unlikely(((struct ipa_ioc_del_flt_rule *)param)->num_hdls

			!= pre_entry)) {

			IPAERR(" prevent memory corruption(%d not match %d)\n",

				((struct ipa_ioc_del_flt_rule *)param)->

				num_hdls,

				pre_entry);

			retval = -EINVAL;

			break;

		}

		if (ipa2_del_flt_rule((struct ipa_ioc_del_flt_rule *)param)) {

			retval = -EFAULT;

			break;
@@ -866,10 +949,11 @@ static long ipa_ioctl(struct file *filp, unsigned int cmd, unsigned long arg) 
			retval = -EFAULT;

			break;

		}

		pre_entry =

			((struct ipa_ioc_mdfy_flt_rule *)header)->num_rules;

		pyld_sz =

		   sizeof(struct ipa_ioc_mdfy_flt_rule) +

		   ((struct ipa_ioc_mdfy_flt_rule *)header)->num_rules *

		   sizeof(struct ipa_flt_rule_mdfy);

		   pre_entry * sizeof(struct ipa_flt_rule_mdfy);

		param = kzalloc(pyld_sz, GFP_KERNEL);

		if (!param) {

			retval = -ENOMEM;
@@ -879,6 +963,16 @@ static long ipa_ioctl(struct file *filp, unsigned int cmd, unsigned long arg) 
			retval = -EFAULT;

			break;

		}

		/* add check in case user-space module compromised */

		if (unlikely(((struct ipa_ioc_mdfy_flt_rule *)param)->num_rules

			!= pre_entry)) {

			IPAERR(" prevent memory corruption(%d not match %d)\n",

				((struct ipa_ioc_mdfy_flt_rule *)param)->

				num_rules,

				pre_entry);

			retval = -EINVAL;

			break;

		}

		if (ipa2_mdfy_flt_rule((struct ipa_ioc_mdfy_flt_rule *)param)) {

			retval = -EFAULT;

			break;
@@ -992,9 +1086,10 @@ static long ipa_ioctl(struct file *filp, unsigned int cmd, unsigned long arg) 
			retval = -EFAULT;

			break;

		}



		pyld_sz = sz + ((struct ipa_ioc_query_intf_tx_props *)

				header)->num_tx_props *

		pre_entry =

			((struct ipa_ioc_query_intf_tx_props *)

			header)->num_tx_props;

		pyld_sz = sz + pre_entry *

			sizeof(struct ipa_ioc_tx_intf_prop);

		param = kzalloc(pyld_sz, GFP_KERNEL);

		if (!param) {
@@ -1005,6 +1100,16 @@ static long ipa_ioctl(struct file *filp, unsigned int cmd, unsigned long arg) 
			retval = -EFAULT;

			break;

		}

		/* add check in case user-space module compromised */

		if (unlikely(((struct ipa_ioc_query_intf_tx_props *)

			param)->num_tx_props

			!= pre_entry)) {

			IPAERR(" prevent memory corruption(%d not match %d)\n",

				((struct ipa_ioc_query_intf_tx_props *)

				param)->num_tx_props, pre_entry);

			retval = -EINVAL;

			break;

		}

		if (ipa_query_intf_tx_props(

				(struct ipa_ioc_query_intf_tx_props *)param)) {

			retval = -1;
@@ -1027,9 +1132,10 @@ static long ipa_ioctl(struct file *filp, unsigned int cmd, unsigned long arg) 
			retval = -EFAULT;

			break;

		}



		pyld_sz = sz + ((struct ipa_ioc_query_intf_rx_props *)

				header)->num_rx_props *

		pre_entry =

			((struct ipa_ioc_query_intf_rx_props *)

			header)->num_rx_props;

		pyld_sz = sz + pre_entry *

			sizeof(struct ipa_ioc_rx_intf_prop);

		param = kzalloc(pyld_sz, GFP_KERNEL);

		if (!param) {
@@ -1040,6 +1146,15 @@ static long ipa_ioctl(struct file *filp, unsigned int cmd, unsigned long arg) 
			retval = -EFAULT;

			break;

		}

		/* add check in case user-space module compromised */

		if (unlikely(((struct ipa_ioc_query_intf_rx_props *)

			param)->num_rx_props != pre_entry)) {

			IPAERR(" prevent memory corruption(%d not match %d)\n",

				((struct ipa_ioc_query_intf_rx_props *)

				param)->num_rx_props, pre_entry);

			retval = -EINVAL;

			break;

		}

		if (ipa_query_intf_rx_props(

				(struct ipa_ioc_query_intf_rx_props *)param)) {

			retval = -1;
@@ -1062,9 +1177,10 @@ static long ipa_ioctl(struct file *filp, unsigned int cmd, unsigned long arg) 
			retval = -EFAULT;

			break;

		}



		pyld_sz = sz + ((struct ipa_ioc_query_intf_ext_props *)

				header)->num_ext_props *

		pre_entry =

			((struct ipa_ioc_query_intf_ext_props *)

			header)->num_ext_props;

		pyld_sz = sz + pre_entry *

			sizeof(struct ipa_ioc_ext_intf_prop);

		param = kzalloc(pyld_sz, GFP_KERNEL);

		if (!param) {
@@ -1075,6 +1191,15 @@ static long ipa_ioctl(struct file *filp, unsigned int cmd, unsigned long arg) 
			retval = -EFAULT;

			break;

		}

		/* add check in case user-space module compromised */

		if (unlikely(((struct ipa_ioc_query_intf_ext_props *)

			param)->num_ext_props != pre_entry)) {

			IPAERR(" prevent memory corruption(%d not match %d)\n",

				((struct ipa_ioc_query_intf_ext_props *)

				param)->num_ext_props, pre_entry);

			retval = -EINVAL;

			break;

		}

		if (ipa_query_intf_ext_props(

				(struct ipa_ioc_query_intf_ext_props *)param)) {

			retval = -1;
@@ -1091,8 +1216,10 @@ static long ipa_ioctl(struct file *filp, unsigned int cmd, unsigned long arg) 
			retval = -EFAULT;

			break;

		}

		pyld_sz = sizeof(struct ipa_msg_meta) +

		pre_entry =

		   ((struct ipa_msg_meta *)header)->msg_len;

		pyld_sz = sizeof(struct ipa_msg_meta) +

		   pre_entry;

		param = kzalloc(pyld_sz, GFP_KERNEL);

		if (!param) {

			retval = -ENOMEM;
@@ -1102,6 +1229,15 @@ static long ipa_ioctl(struct file *filp, unsigned int cmd, unsigned long arg) 
			retval = -EFAULT;

			break;

		}

		/* add check in case user-space module compromised */

		if (unlikely(((struct ipa_msg_meta *)param)->msg_len

			!= pre_entry)) {

			IPAERR(" prevent memory corruption(%d not match %d)\n",

				((struct ipa_msg_meta *)param)->msg_len,

				pre_entry);

			retval = -EINVAL;

			break;

		}

		if (ipa_pull_msg((struct ipa_msg_meta *)param,

				 (char *)param + sizeof(struct ipa_msg_meta),

				 ((struct ipa_msg_meta *)param)->msg_len) !=
@@ -1218,10 +1354,12 @@ static long ipa_ioctl(struct file *filp, unsigned int cmd, unsigned long arg) 
			retval = -EFAULT;

			break;

		}

		pre_entry =

			((struct ipa_ioc_add_hdr_proc_ctx *)

			header)->num_proc_ctxs;

		pyld_sz =

		   sizeof(struct ipa_ioc_add_hdr_proc_ctx) +

		   ((struct ipa_ioc_add_hdr_proc_ctx *)header)->num_proc_ctxs *

		   sizeof(struct ipa_hdr_proc_ctx_add);

		   pre_entry * sizeof(struct ipa_hdr_proc_ctx_add);

		param = kzalloc(pyld_sz, GFP_KERNEL);

		if (!param) {

			retval = -ENOMEM;
@@ -1231,6 +1369,15 @@ static long ipa_ioctl(struct file *filp, unsigned int cmd, unsigned long arg) 
			retval = -EFAULT;

			break;

		}

		/* add check in case user-space module compromised */

		if (unlikely(((struct ipa_ioc_add_hdr_proc_ctx *)

			param)->num_proc_ctxs != pre_entry)) {

			IPAERR(" prevent memory corruption(%d not match %d)\n",

				((struct ipa_ioc_add_hdr_proc_ctx *)

				param)->num_proc_ctxs, pre_entry);

			retval = -EINVAL;

			break;

		}

		if (ipa2_add_hdr_proc_ctx(

			(struct ipa_ioc_add_hdr_proc_ctx *)param)) {

			retval = -EFAULT;
@@ -1247,10 +1394,11 @@ static long ipa_ioctl(struct file *filp, unsigned int cmd, unsigned long arg) 
			retval = -EFAULT;

			break;

		}

		pre_entry =

			((struct ipa_ioc_del_hdr_proc_ctx *)header)->num_hdls;

		pyld_sz =

		   sizeof(struct ipa_ioc_del_hdr_proc_ctx) +

		   ((struct ipa_ioc_del_hdr_proc_ctx *)header)->num_hdls *

		   sizeof(struct ipa_hdr_proc_ctx_del);

		   pre_entry * sizeof(struct ipa_hdr_proc_ctx_del);

		param = kzalloc(pyld_sz, GFP_KERNEL);

		if (!param) {

			retval = -ENOMEM;
@@ -1260,6 +1408,16 @@ static long ipa_ioctl(struct file *filp, unsigned int cmd, unsigned long arg) 
			retval = -EFAULT;

			break;

		}

		/* add check in case user-space module compromised */

		if (unlikely(((struct ipa_ioc_del_hdr_proc_ctx *)

			param)->num_hdls != pre_entry)) {

			IPAERR(" prevent memory corruption( %d not match %d)\n",

				((struct ipa_ioc_del_hdr_proc_ctx *)param)->

				num_hdls,

				pre_entry);

			retval = -EINVAL;

			break;

		}

		if (ipa2_del_hdr_proc_ctx(

			(struct ipa_ioc_del_hdr_proc_ctx *)param)) {

			retval = -EFAULT;

drivers/platform/msm/ipa/ipa_v3/ipa.c

+219 −38

File changed.

Preview size limit exceeded, changes collapsed.