msm: adsprpc: Handle UAF in fastrpc internal munmap
Added reference count for contex map indicate memory under used
in remote call. And, this memory would not removed in internal
unmap to avoid UAF.
Issue: FP3SEC-1185
Change-Id: Ieb4ff6b298ff9c48953bc5b3539fdfe19a14b442
Acked-by: DEEPAK SANNAPAREDDY <sdeeredd@qti.qualcomm.com>
Signed-off-by: Vamsi Krishna Gattupalli <quic_vgattupa@quicinc.com>
(cherry picked from commit 103b88d461f00a60f31de8bc8aa4a04d87f5b5ab)
diff --git a/drivers/char/adsprpc.c b/drivers/char/adsprpc.c
index 7291039..b54b318 100644
--- a/drivers/char/adsprpc.c
+++ b/drivers/char/adsprpc.c
@@ -1,5 +1,6 @@
/*
* Copyright (c) 2012-2021, The Linux Foundation. All rights reserved.
+ * Copyright (c) 2022-2023, Qualcomm Innovation Center, Inc. All rights reserved.
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License version 2 and
@@ -362,6 +363,7 @@
int secure;
uintptr_t attr;
bool is_filemap; /*flag to indicate map used in process init*/
+ unsigned int ctx_refs; /* Indicates reference count for context map */
};
enum fastrpc_perfkeys {
@@ -713,7 +715,7 @@
hlist_for_each_entry_safe(map, n, &me->maps, hn) {
if (map->refs == 1 && map->raddr == va &&
map->raddr + map->len == va + len &&
- /*Remove map if not used in process initialization*/
+ /* Remove map if not used in process initialization */
!map->is_filemap) {
match = map;
hlist_del_init(&map->hn);
@@ -726,9 +728,10 @@
return 0;
}
hlist_for_each_entry_safe(map, n, &fl->maps, hn) {
- if (map->refs == 1 && map->raddr == va &&
+ /* Remove if only one reference map and no context map */
+ if (map->refs == 1 && !map->ctx_refs && map->raddr == va &&
map->raddr + map->len == va + len &&
- /*Remove map if not used in process initialization*/
+ /* Remove map if not used in process initialization */
!map->is_filemap) {
match = map;
hlist_del_init(&map->hn);
@@ -773,14 +776,14 @@
map->flags == ADSP_MMAP_REMOTE_HEAP_ADDR) {
spin_lock(&me->hlock);
map->refs--;
- if (!map->refs)
+ if (!map->refs && !map->ctx_refs)
hlist_del_init(&map->hn);
spin_unlock(&me->hlock);
if (map->refs > 0)
return;
} else {
map->refs--;
- if (!map->refs)
+ if (!map->refs && !map->ctx_refs)
hlist_del_init(&map->hn);
if (map->refs > 0 && !flags)
return;
@@ -876,6 +879,7 @@
map->fd = fd;
map->attr = attr;
map->is_filemap = false;
+ map->ctx_refs = 0;
if (mflags == ADSP_MMAP_HEAP_ADDR ||
mflags == ADSP_MMAP_REMOTE_HEAP_ADDR) {
unsigned long dma_attrs = DMA_ATTR_SKIP_ZEROING |
@@ -1346,9 +1350,11 @@
hlist_del_init(&ctx->hn);
spin_unlock(&ctx->fl->hlock);
mutex_lock(&ctx->fl->fl_map_mutex);
- for (i = 0; i < nbufs; ++i)
+ for (i = 0; i < nbufs; ++i) {
+ if (ctx->maps[i] && ctx->maps[i]->ctx_refs)
+ ctx->maps[i]->ctx_refs--;
fastrpc_mmap_free(ctx->maps[i], 0);
-
+ }
mutex_unlock(&ctx->fl->fl_map_mutex);
fastrpc_buf_free(ctx->buf, 1);
fastrpc_buf_free(ctx->lbuf, 1);
@@ -1543,6 +1549,9 @@
attrs, buf, len,
mflags, &ctx->maps[i]);
}
+ if (ctx->maps[i])
+ ctx->maps[i]->ctx_refs++;
+
mutex_unlock(&ctx->fl->fl_map_mutex);
ipage += 1;
}
@@ -1556,6 +1565,8 @@
dmaflags = FASTRPC_DMAHANDLE_NOMAP;
VERIFY(err, !fastrpc_mmap_create(ctx->fl, ctx->fds[i],
FASTRPC_ATTR_NOVA, 0, 0, dmaflags, &ctx->maps[i]));
+ if (!err && ctx->maps[i])
+ ctx->maps[i]->ctx_refs++;
if (err) {
mutex_unlock(&ctx->fl->fl_map_mutex);
goto bail;
@@ -1804,6 +1815,8 @@
goto bail;
} else {
mutex_lock(&ctx->fl->fl_map_mutex);
+ if (ctx->maps[i]->ctx_refs)
+ ctx->maps[i]->ctx_refs--;
fastrpc_mmap_free(ctx->maps[i], 0);
mutex_unlock(&ctx->fl->fl_map_mutex);
ctx->maps[i] = NULL;
@@ -1815,9 +1828,13 @@
if (!fdlist[i])
break;
if (!fastrpc_mmap_find(ctx->fl, (int)fdlist[i], 0, 0,
- 0, 0, &mmap))
+ 0, 0, &mmap)) {
+ if (mmap && mmap->ctx_refs)
+ mmap->ctx_refs--;
+
fastrpc_mmap_free(mmap, 0);
- }
+ }
+ }
}
mutex_unlock(&ctx->fl->fl_map_mutex);
if (ctx->crc && crclist && rpra)