From 5d4b707b4554f5763fab52448286f91c42417fc3 Mon Sep 17 00:00:00 2001 From: Abhinav Parihar Date: Tue, 17 Dec 2024 18:34:34 +0530 Subject: [PATCH] BACKPORT: dsp-kernel: Add attribute and flag checks during map creation A persistence map is expected to hold refs=2 during its creation. However, the Fuzzy test can create a persistence map by configuring a mismatch between attributes and flags using the KEEP MAP attribute and FD NOMAP flags. This sets the map reference count to 1. The user then calls fastrpc_internal_munmap_fd to free the map since it doesn't check flags, which can cause a use-after-free (UAF) for the file map and shared buffer. Add a check to restrict DMA handle maps with invalid attributes. Change-Id: I2f024ef99cc2a0487010504166e3af3433d5302d Acked-by: Santosh Signed-off-by: Abhinav Parihar --- drivers/char/adsprpc.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/drivers/char/adsprpc.c b/drivers/char/adsprpc.c index 8bc094fd2d80..dcffd78a1b64 100644 --- a/drivers/char/adsprpc.c +++ b/drivers/char/adsprpc.c @@ -1026,6 +1026,12 @@ static int fastrpc_mmap_create(struct fastrpc_file *fl, int fd, map->size = len; map->va = (uintptr_t)region_vaddr; } else if (mflags == FASTRPC_DMAHANDLE_NOMAP) { + if (map->attr & FASTRPC_ATTR_KEEP_MAP) { + pr_err("adsprpc: %s: Invalid attribute 0x%x for fd %d\n", + __func__, map->attr, fd); + err = -EINVAL; + goto bail; + } VERIFY(err, !IS_ERR_OR_NULL(map->buf = dma_buf_get(fd))); if (err) goto bail;