commit 2605a14c306ee8763661036036b3725329a184f1
author Tharun Kumar Merugu <mtharu@codeaurora.org> Sat Feb 02 01:22:47 2019 +0530
committer Karsten Tausche <karsten@fairphone.com> Wed Jul 17 12:40:08 2019 +0200
tree b089b3f80f337b394f7d0a2eb3f7baa827d21884
parent c1449bf09b4581c98491da605f84923a7615d22d

msm: adsprpc: restrict user apps from sending kernel RPC messages

Verify that user applications are not using the kernel RPC message
handle to restrict them from directly attaching to guest OS on the
remote subsystem.

Issue: SEC-1942
Bug: 129852114
Change-Id: Icfa114a12f2bebbe815eb9930027fded51f717fd
Acked-by: Thyagarajan Venkatanarayanan <venkatan@qti.qualcomm.com>
Signed-off-by: Tharun Kumar Merugu <mtharu@codeaurora.org>
Signed-off-by: Mohammed Nayeem Ur Rahman <mohara@codeaurora.org>
(adapted from commit 908fcf5759aa8ca51803bee2a60bda844fd93bce)

drivers/char/adsprpc.c

diff --git a/drivers/char/adsprpc.c b/drivers/char/adsprpc.c
index 54b5b4e..f563df9 100644
--- a/drivers/char/adsprpc.c
+++ b/drivers/char/adsprpc.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2012-2014, 2018 The Linux Foundation. All rights reserved.
+ * Copyright (c) 2012-2014, 2018-2019 The Linux Foundation. All rights reserved.
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License version 2 and
@@ -59,6 +59,8 @@
 
 #define IS_CACHE_ALIGNED(x) (((x) & ((L1_CACHE_BYTES)-1)) == 0)
 
+#define FASTRPC_STATIC_HANDLE_KERNEL (1)
+
 static inline uint32_t buf_page_start(void *buf)
 {
 	uint32_t start = (uint32_t) buf & PAGE_MASK;
@@ -958,6 +960,15 @@
 	int err = 0;
 
 	if (!kernel) {
+		VERIFY(err, invoke->handle != FASTRPC_STATIC_HANDLE_KERNEL);
+		if (err) {
+			pr_err("adsprpc: ERROR: %s: user application %s trying to send a kernel RPC message",
+				__func__, current->comm);
+			goto bail;
+		}
+	}
+
+	if (!kernel) {
 		VERIFY(err, 0 == context_restore_interrupted(me, invokefd,
 								&ctx));
 		if (err)
@@ -1034,7 +1045,7 @@
 	tgid = current->tgid;
 	ra[0].buf.pv = &tgid;
 	ra[0].buf.len = sizeof(tgid);
-	ioctl.inv.handle = 1;
+	ioctl.inv.handle = FASTRPC_STATIC_HANDLE_KERNEL;
 	ioctl.inv.sc = REMOTE_SCALARS_MAKE(0, 1, 0);
 	ioctl.inv.pra = ra;
 	ioctl.fds = 0;
@@ -1054,7 +1065,7 @@
 	tgid = current->tgid;
 	ra[0].buf.pv = &tgid;
 	ra[0].buf.len = sizeof(tgid);
-	ioctl.inv.handle = 1;
+	ioctl.inv.handle = FASTRPC_STATIC_HANDLE_KERNEL;
 	ioctl.inv.sc = REMOTE_SCALARS_MAKE(1, 1, 0);
 	ioctl.inv.pra = ra;
 	ioctl.fds = 0;
@@ -1094,7 +1105,7 @@
 	ra[2].buf.pv = &routargs;
 	ra[2].buf.len = sizeof(routargs);
 
-	ioctl.inv.handle = 1;
+	ioctl.inv.handle = FASTRPC_STATIC_HANDLE_KERNEL;
 	ioctl.inv.sc = REMOTE_SCALARS_MAKE(2, 2, 1);
 	ioctl.inv.pra = ra;
 	ioctl.fds = 0;
@@ -1125,7 +1136,7 @@
 	ra[0].buf.pv = &inargs;
 	ra[0].buf.len = sizeof(inargs);
 
-	ioctl.inv.handle = 1;
+	ioctl.inv.handle = FASTRPC_STATIC_HANDLE_KERNEL;
 	ioctl.inv.sc = REMOTE_SCALARS_MAKE(3, 1, 0);
 	ioctl.inv.pra = ra;
 	ioctl.fds = 0;