msm: adsprpc: Handle UAF in process shell memory
Added flag to indicate memory used
in process initialization. And, this memory
would not removed in internal unmap to avoid
UAF or double free.
Change-Id: Ifa621dee171b3d1f98b82302c847f4d767f3e736
Signed-off-by: Swathi K <kataka@codeaurora.org>
diff --git a/drivers/char/adsprpc.c b/drivers/char/adsprpc.c
index c7aa94f..d063fe0 100644
--- a/drivers/char/adsprpc.c
+++ b/drivers/char/adsprpc.c
@@ -352,6 +352,7 @@
int uncached;
int secure;
uintptr_t attr;
+ bool is_filemap; /*flag to indicate map used in process init*/
};
enum fastrpc_perfkeys {
@@ -700,9 +701,10 @@
spin_lock(&me->hlock);
hlist_for_each_entry_safe(map, n, &me->maps, hn) {
- if (map->raddr == va &&
+ if (map->refs == 1 && map->raddr == va &&
map->raddr + map->len == va + len &&
- map->refs == 1) {
+ /*Remove map if not used in process initialization*/
+ !map->is_filemap) {
match = map;
hlist_del_init(&map->hn);
break;
@@ -714,9 +716,10 @@
return 0;
}
hlist_for_each_entry_safe(map, n, &fl->maps, hn) {
- if (map->raddr == va &&
+ if (map->refs == 1 && map->raddr == va &&
map->raddr + map->len == va + len &&
- map->refs == 1) {
+ /*Remove map if not used in process initialization*/
+ !map->is_filemap) {
match = map;
hlist_del_init(&map->hn);
break;
@@ -858,6 +861,7 @@
map->fl = fl;
map->fd = fd;
map->attr = attr;
+ map->is_filemap = false;
if (mflags == ADSP_MMAP_HEAP_ADDR ||
mflags == ADSP_MMAP_REMOTE_HEAP_ADDR) {
unsigned long dma_attrs = DMA_ATTR_SKIP_ZEROING |
@@ -2243,6 +2247,8 @@
mutex_lock(&fl->fl_map_mutex);
VERIFY(err, !fastrpc_mmap_create(fl, init->filefd, 0,
init->file, init->filelen, mflags, &file));
+ if (file)
+ file->is_filemap = true;
mutex_unlock(&fl->fl_map_mutex);
if (err)
goto bail;