TechPanelGM/kernel_xiaomi_sm8250
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

BACKPORT: dsp-kernel: Add attribute and flag checks during map creation

Browse Source 
A persistence map is expected to hold refs=2 during its creation.
However, the Fuzzy test can create a persistence map by configuring
a mismatch between attributes and flags using the KEEP MAP attribute
and FD NOMAP flags. This sets the map reference count to 1. The user
then calls fastrpc_internal_munmap_fd to free the map since it
doesn't check flags, which can cause a use-after-free (UAF) for the
file map and shared buffer. Add a check to restrict DMA handle
maps with invalid attributes.

Change-Id: I2f024ef99cc2a0487010504166e3af3433d5302d
Acked-by: Santosh <quic_ssakore@quicinc.com>
Signed-off-by: Abhinav Parihar <quic_parihar@quicinc.com>
This commit is contained in:
Abhinav Parihar
2024-12-17 18:34:34 +05:30
committed by Michael Bestas
parent 8736793a17
commit 5d4b707b45
1 changed files with 6 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
drivers/char/adsprpc.c
View File

@@ -1026,6 +1026,12 @@ static int fastrpc_mmap_create(struct fastrpc_file *fl, int fd,
map->size = len; map->size = len;
map->va = (uintptr_t)region_vaddr; map->va = (uintptr_t)region_vaddr;
} else if (mflags == FASTRPC_DMAHANDLE_NOMAP) { } else if (mflags == FASTRPC_DMAHANDLE_NOMAP) {
if (map->attr & FASTRPC_ATTR_KEEP_MAP) {
pr_err("adsprpc: %s: Invalid attribute 0x%x for fd %d\n",
__func__, map->attr, fd);
err = -EINVAL;
goto bail;
}
VERIFY(err, !IS_ERR_OR_NULL(map->buf = dma_buf_get(fd))); VERIFY(err, !IS_ERR_OR_NULL(map->buf = dma_buf_get(fd)));
if (err) if (err)
goto bail; goto bail;