msm: adsprpc: Handle UAF in process shell memory
Added flag to indicate memory used
in process initialization. And, this memory
would not removed in internal unmap to avoid
UAF or double free.
Issue: FP3SEC-168
Change-Id: Ifa621dee171b3d1f98b82302c847f4d767f3e736
Signed-off-by: Swathi K <kataka@codeaurora.org>
(cherry picked from commit 59d96fe15e49fd90f860a477028654db60d5b887)
diff --git a/drivers/char/adsprpc.c b/drivers/char/adsprpc.c
index 64e6e2f..7da0694 100644
--- a/drivers/char/adsprpc.c
+++ b/drivers/char/adsprpc.c
@@ -351,6 +351,7 @@
int uncached;
int secure;
uintptr_t attr;
+ bool is_filemap; /*flag to indicate map used in process init*/
};
enum fastrpc_perfkeys {
@@ -687,9 +688,10 @@
spin_lock(&me->hlock);
hlist_for_each_entry_safe(map, n, &me->maps, hn) {
- if (map->raddr == va &&
+ if (map->refs == 1 && map->raddr == va &&
map->raddr + map->len == va + len &&
- map->refs == 1) {
+ /*Remove map if not used in process initialization*/
+ !map->is_filemap) {
match = map;
hlist_del_init(&map->hn);
break;
@@ -701,9 +703,10 @@
return 0;
}
hlist_for_each_entry_safe(map, n, &fl->maps, hn) {
- if (map->raddr == va &&
+ if (map->refs == 1 && map->raddr == va &&
map->raddr + map->len == va + len &&
- map->refs == 1) {
+ /*Remove map if not used in process initialization*/
+ !map->is_filemap) {
match = map;
hlist_del_init(&map->hn);
break;
@@ -843,6 +846,7 @@
map->fl = fl;
map->fd = fd;
map->attr = attr;
+ map->is_filemap = false;
if (mflags == ADSP_MMAP_HEAP_ADDR ||
mflags == ADSP_MMAP_REMOTE_HEAP_ADDR) {
unsigned long dma_attrs = DMA_ATTR_SKIP_ZEROING |
@@ -2205,6 +2209,8 @@
mutex_lock(&fl->fl_map_mutex);
VERIFY(err, !fastrpc_mmap_create(fl, init->filefd, 0,
init->file, init->filelen, mflags, &file));
+ if (file)
+ file->is_filemap = true;
mutex_unlock(&fl->fl_map_mutex);
if (err)
goto bail;