Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Skip to content
Unverified Commit ccafc484 authored by Santosh's avatar Santosh Committed by Michael Bestas
Browse files

adsprpc: Handle UAF scenario in put_args 



Currently, the DSP updates header buffers with unused DMA handle fds.
In the put_args section, if any DMA handle FDs are present in the
header buffer, the corresponding map is freed. However, since the
header buffer is exposed to users in unsigned PD, users can update
invalid FDs. If this invalid FD matches with any FD that is already
in use, it could lead to a use-after-free (UAF) vulnerability.
As a solution,add DMA handle references for DMA FDs, and the map for
the FD will be freed only when a reference is found.

Acked-by: default avatarOm Deore <quic_odeore@quicinc.com>
Change-Id: I3c2614451f7b3717236708ee5e9b88f16f6e435d
Signed-off-by: default avatarSantosh <quic_ssakore@quicinc.com>
parent f3d09b6d
Show whitespace changes
Inline Side-by-side
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment