msm: adsprpc: Handle UAF in fastrpc internal munmap
Added reference count for contex map indicate memory under used
in remote call. And, this memory would not removed in internal
unmap to avoid UAF.
Issue: FP3SEC-1185
Change-Id: Ieb4ff6b298ff9c48953bc5b3539fdfe19a14b442
Acked-by: DEEPAK SANNAPAREDDY <sdeeredd@qti.qualcomm.com>
Signed-off-by: Vamsi Krishna Gattupalli <quic_vgattupa@quicinc.com>
diff --git a/drivers/char/adsprpc.c b/drivers/char/adsprpc.c
index d6fa42a..3a69072 100644
--- a/drivers/char/adsprpc.c
+++ b/drivers/char/adsprpc.c
@@ -1,6 +1,6 @@
/*
* Copyright (c) 2012-2021, The Linux Foundation. All rights reserved.
- * Copyright (c) 2022 Qualcomm Innovation Center, Inc. All rights reserved.
+ * Copyright (c) 2022-2023, Qualcomm Innovation Center, Inc. All rights reserved.
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License version 2 and
@@ -363,6 +363,7 @@
int secure;
uintptr_t attr;
bool is_filemap; /*flag to indicate map used in process init*/
+ unsigned int ctx_refs; /* Indicates reference count for context map */
};
enum fastrpc_perfkeys {
@@ -714,7 +715,7 @@
hlist_for_each_entry_safe(map, n, &me->maps, hn) {
if (map->refs == 1 && map->raddr == va &&
map->raddr + map->len == va + len &&
- /*Remove map if not used in process initialization*/
+ /* Remove map if not used in process initialization */
!map->is_filemap) {
match = map;
hlist_del_init(&map->hn);
@@ -727,9 +728,10 @@
return 0;
}
hlist_for_each_entry_safe(map, n, &fl->maps, hn) {
- if (map->refs == 1 && map->raddr == va &&
+ /* Remove if only one reference map and no context map */
+ if (map->refs == 1 && !map->ctx_refs && map->raddr == va &&
map->raddr + map->len == va + len &&
- /*Remove map if not used in process initialization*/
+ /* Remove map if not used in process initialization */
!map->is_filemap) {
match = map;
hlist_del_init(&map->hn);
@@ -774,14 +776,14 @@
map->flags == ADSP_MMAP_REMOTE_HEAP_ADDR) {
spin_lock(&me->hlock);
map->refs--;
- if (!map->refs)
+ if (!map->refs && !map->ctx_refs)
hlist_del_init(&map->hn);
spin_unlock(&me->hlock);
if (map->refs > 0)
return;
} else {
map->refs--;
- if (!map->refs)
+ if (!map->refs && !map->ctx_refs)
hlist_del_init(&map->hn);
if (map->refs > 0 && !flags)
return;
@@ -877,6 +879,7 @@
map->fd = fd;
map->attr = attr;
map->is_filemap = false;
+ map->ctx_refs = 0;
if (mflags == ADSP_MMAP_HEAP_ADDR ||
mflags == ADSP_MMAP_REMOTE_HEAP_ADDR) {
unsigned long dma_attrs = DMA_ATTR_SKIP_ZEROING |
@@ -1347,9 +1350,11 @@
hlist_del_init(&ctx->hn);
spin_unlock(&ctx->fl->hlock);
mutex_lock(&ctx->fl->fl_map_mutex);
- for (i = 0; i < nbufs; ++i)
+ for (i = 0; i < nbufs; ++i) {
+ if (ctx->maps[i] && ctx->maps[i]->ctx_refs)
+ ctx->maps[i]->ctx_refs--;
fastrpc_mmap_free(ctx->maps[i], 0);
-
+ }
mutex_unlock(&ctx->fl->fl_map_mutex);
fastrpc_buf_free(ctx->buf, 1);
fastrpc_buf_free(ctx->lbuf, 1);
@@ -1544,6 +1549,9 @@
attrs, buf, len,
mflags, &ctx->maps[i]);
}
+ if (ctx->maps[i])
+ ctx->maps[i]->ctx_refs++;
+
mutex_unlock(&ctx->fl->fl_map_mutex);
ipage += 1;
}
@@ -1557,6 +1565,8 @@
dmaflags = FASTRPC_DMAHANDLE_NOMAP;
VERIFY(err, !fastrpc_mmap_create(ctx->fl, ctx->fds[i],
FASTRPC_ATTR_NOVA, 0, 0, dmaflags, &ctx->maps[i]));
+ if (!err && ctx->maps[i])
+ ctx->maps[i]->ctx_refs++;
if (err) {
mutex_unlock(&ctx->fl->fl_map_mutex);
goto bail;
@@ -1805,6 +1815,8 @@
goto bail;
} else {
mutex_lock(&ctx->fl->fl_map_mutex);
+ if (ctx->maps[i]->ctx_refs)
+ ctx->maps[i]->ctx_refs--;
fastrpc_mmap_free(ctx->maps[i], 0);
mutex_unlock(&ctx->fl->fl_map_mutex);
ctx->maps[i] = NULL;
@@ -1816,9 +1828,13 @@
if (!fdlist[i])
break;
if (!fastrpc_mmap_find(ctx->fl, (int)fdlist[i], 0, 0,
- 0, 0, &mmap))
+ 0, 0, &mmap)) {
+ if (mmap && mmap->ctx_refs)
+ mmap->ctx_refs--;
+
fastrpc_mmap_free(mmap, 0);
- }
+ }
+ }
}
mutex_unlock(&ctx->fl->fl_map_mutex);
if (ctx->crc && crclist && rpra)