commit 6e0f9264acb81bc2281d5aad80125fe411616b74
author Sandhya Mutha Naga Venkata <quic_smuthana@quicinc.com> Thu Jul 20 14:40:44 2023 +0530
committer Prashantsinh Parmar <prashantsinh.parmar@fairphone.partners> Mon Jan 29 11:01:31 2024 +0100
tree 41bafbfbbfead930672ed104b4dc428cf2a83075
parent 26e89ebe50122a44ef2f27dffac70ac6b9b43bcf

dsp: q6lsm: Address use after free for mmap handle

The global declared mmap_handle can be left dangling
for case when the handle is freed by the calling function.
Fix is to address this. Also add a check to make sure
the mmap_handle is accessed legally.

Issue: FP3SEC-1254
Change-Id: I367f8a41339aa0025b545b125ee820220efedeee
Signed-off-by: Soumya Managoli <quic_c_smanag@quicinc.com>
(cherry picked from commit 6b8f3568740661978d7d60567ff5e27b5fb7d28d)

dsp/q6lsm.c

diff --git a/dsp/q6lsm.c b/dsp/q6lsm.c
index 9c39ef6..20d36ac 100644
--- a/dsp/q6lsm.c
+++ b/dsp/q6lsm.c
@@ -433,6 +433,10 @@
 	}
 
 	pr_debug("%s: enter wait %d\n", __func__, wait);
+	if (mmap_handle_p) {
+		pr_debug("%s: Invalid mmap_handle\n", __func__);
+		return -EINVAL;
+	}
 	if (wait)
 		mutex_lock(&lsm_common.apr_lock);
 	if (mmap_p) {
@@ -476,6 +480,7 @@
 	if (wait)
 		mutex_unlock(&lsm_common.apr_lock);
 
+	mmap_handle_p = NULL;
 	pr_debug("%s: leave ret %d\n", __func__, ret);
 	return ret;
 }
@@ -1525,7 +1530,8 @@
 	case LSM_SESSION_CMDRSP_SHARED_MEM_MAP_REGIONS:
 		if (atomic_read(&client->cmd_state) == CMD_STATE_WAIT_RESP) {
 			spin_lock_irqsave(&mmap_lock, flags);
-			*mmap_handle_p = command;
+			if (mmap_handle_p)
+				*mmap_handle_p = command;
 			/* spin_unlock_irqrestore implies barrier */
 			spin_unlock_irqrestore(&mmap_lock, flags);
 			atomic_set(&client->cmd_state, CMD_STATE_CLEARED);