Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 31142010 authored by Liam Mark's avatar Liam Mark Committed by Gerrit - the friendly Code Review server
Browse files

ion: Ensure non-HLOS memory cannot be mapped by CPU 



Currently it is possible for an ION client to allocate non-HLOS memory
(ie memory which isn't assigned to the HLOS vmid), map this memory, and
then attempt to access this memory from the CPU.
Attempting to access non-HLOS memory from the CPU will crash the system.

Fix ION so that non-HLOS memory cannot be mapped by the CPU.

Change-Id: Ifb51de2eabc076cddc744c13f01ef97b4a7c6874
Signed-off-by: default avatarLiam Mark <lmark@codeaurora.org>
parent 47cb4b24

drivers/staging/android/ion/ion_cma_heap.c

+25 −2
Original line number Original line Diff line number Diff line
@@ -232,11 +232,34 @@ static int ion_secure_cma_allocate( 
	return ret;

	return ret;

}

}





static void *ion_secure_cma_map_kernel(struct ion_heap *heap,

				       struct ion_buffer *buffer)

{

	if (!hlos_accessible_buffer(buffer)) {

		pr_info("%s: Mapping non-HLOS accessible buffer disallowed\n",

			__func__);

		return NULL;

	}

	return ion_heap_map_kernel(heap, buffer);

}



static int ion_secure_cma_map_user(struct ion_heap *mapper,

				   struct ion_buffer *buffer,

				   struct vm_area_struct *vma)

{

	if (!hlos_accessible_buffer(buffer)) {

		pr_info("%s: Mapping non-HLOS accessible buffer disallowed\n",

			__func__);

		return -EINVAL;

	}

	return ion_heap_map_user(mapper, buffer, vma);

}



static struct ion_heap_ops ion_secure_cma_ops = {

static struct ion_heap_ops ion_secure_cma_ops = {

	.allocate = ion_secure_cma_allocate,

	.allocate = ion_secure_cma_allocate,

	.free = ion_secure_cma_free,

	.free = ion_secure_cma_free,

	.map_user = ion_heap_map_user,

	.map_user = ion_secure_cma_map_user,

	.map_kernel = ion_heap_map_kernel,

	.map_kernel = ion_secure_cma_map_kernel,

	.unmap_kernel = ion_heap_unmap_kernel,

	.unmap_kernel = ion_heap_unmap_kernel,

};

};

drivers/staging/android/ion/ion_system_heap.c

+12 −0
Original line number Original line Diff line number Diff line
@@ -56,6 +56,11 @@ struct pages_mem { 
	u32 size;

	u32 size;

};

};





int ion_heap_is_system_heap_type(enum ion_heap_type type)

{

	return type == ((enum ion_heap_type)ION_HEAP_TYPE_SYSTEM);

}



static struct page *alloc_buffer_page(struct ion_system_heap *heap,

static struct page *alloc_buffer_page(struct ion_system_heap *heap,

				      struct ion_buffer *buffer,

				      struct ion_buffer *buffer,

				      unsigned long order,

				      unsigned long order,
@@ -280,6 +285,13 @@ static int ion_system_heap_allocate(struct ion_heap *heap, 
	if (size / PAGE_SIZE > totalram_pages / 2)

	if (size / PAGE_SIZE > totalram_pages / 2)

		return -ENOMEM;

		return -ENOMEM;





	if (ion_heap_is_system_heap_type(buffer->heap->type) &&

	    is_secure_vmid_valid(vmid)) {

		pr_info("%s: System heap doesn't support secure allocations\n",

			__func__);

		return -EINVAL;

	}



	data.size = 0;

	data.size = 0;

	INIT_LIST_HEAD(&pages);

	INIT_LIST_HEAD(&pages);

	INIT_LIST_HEAD(&pages_from_pool);

	INIT_LIST_HEAD(&pages_from_pool);