Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit da06db5c authored by Soumya Managoli's avatar Soumya Managoli Committed by Gerrit - the friendly Code Review server
Browse files

dsp: q6lsm: Address use after free for mmap handle 



The global declared mmap_handle can be left dangling
for case when the handle is freed by the calling function.
Fix is to address this. Also add a check to make sure
the mmap_handle is accessed legally.

Change-Id: I367f8a41339aa0025b545b125ee820220efedeee
Signed-off-by: default avatarSoumya Managoli <quic_c_smanag@quicinc.com>
parent 315c6f41

4.0/dsp/q6lsm.c

+8 −1
Original line number Diff line number Diff line 
// SPDX-License-Identifier: GPL-2.0-only

/*

 * Copyright (c) 2013-2019, Linux Foundation. All rights reserved.

 * Copyright (c) 2023 Qualcomm Innovation Center, Inc. All rights reserved.

 */

#include <linux/fs.h>

#include <linux/mutex.h>
@@ -405,6 +406,10 @@ static int q6lsm_apr_send_pkt(struct lsm_client *client, void *handle, 
	}



	pr_debug("%s: enter wait %d\n", __func__, wait);

	if (mmap_handle_p) {

		pr_debug("%s: Invalid mmap_handle\n", __func__);

		return -EINVAL;

	}

	if (wait)

		mutex_lock(&lsm_common.apr_lock);

	if (mmap_p) {
@@ -450,6 +455,7 @@ static int q6lsm_apr_send_pkt(struct lsm_client *client, void *handle, 


	if (mmap_p && *mmap_p == 0)

		ret = -ENOMEM;

	mmap_handle_p = NULL;

	pr_debug("%s: leave ret %d\n", __func__, ret);

	return ret;

}
@@ -1910,6 +1916,7 @@ static int q6lsm_mmapcallback(struct apr_client_data *data, void *priv) 
	case LSM_SESSION_CMDRSP_SHARED_MEM_MAP_REGIONS:

		if (atomic_read(&client->cmd_state) == CMD_STATE_WAIT_RESP) {

			spin_lock_irqsave(&mmap_lock, flags);

			if (mmap_handle_p)

				*mmap_handle_p = command;

			/* spin_unlock_irqrestore implies barrier */

			spin_unlock_irqrestore(&mmap_lock, flags);

dsp/q6lsm.c

+8 −1
Original line number Diff line number Diff line 
/*

 * Copyright (c) 2013-2019, Linux Foundation. All rights reserved.

 *

 * Copyright (c) 2023 Qualcomm Innovation Center, Inc. All rights reserved.

 * This program is free software; you can redistribute it and/or modify

 * it under the terms of the GNU General Public License version 2 and

 * only version 2 as published by the Free Software Foundation.
@@ -400,6 +401,10 @@ static int q6lsm_apr_send_pkt(struct lsm_client *client, void *handle, 
	}



	pr_debug("%s: enter wait %d\n", __func__, wait);

	if (mmap_handle_p) {

		pr_debug("%s: Invalid mmap_handle\n", __func__);

		return -EINVAL;

	}

	if (wait)

		mutex_lock(&lsm_common.apr_lock);

	if (mmap_p) {
@@ -443,6 +448,7 @@ static int q6lsm_apr_send_pkt(struct lsm_client *client, void *handle, 
	if (wait)

		mutex_unlock(&lsm_common.apr_lock);



	mmap_handle_p = NULL;

	pr_debug("%s: leave ret %d\n", __func__, ret);

	return ret;

}
@@ -1832,6 +1838,7 @@ static int q6lsm_mmapcallback(struct apr_client_data *data, void *priv) 
	case LSM_SESSION_CMDRSP_SHARED_MEM_MAP_REGIONS:

		if (atomic_read(&client->cmd_state) == CMD_STATE_WAIT_RESP) {

			spin_lock_irqsave(&mmap_lock, flags);

			if (mmap_handle_p)

				*mmap_handle_p = command;

			/* spin_unlock_irqrestore implies barrier */

			spin_unlock_irqrestore(&mmap_lock, flags);