iommu: Fix missing return check of arm_lpae_init_pte
UAF scenario may occur in clients with EL1 privileges for
iova mappings when we miss to check the return value of
arm_lpae_init_pte which may lead to an PTE be counted as
it was set even if it was already existing. This can cause a
dangling IOMMU PTE to be left mapped pointing to a
freed object and cause UAF in the client if the dangling PTE
is accessed after a failed unmap operation.
Fixes: 27de1978c3 ("ANDROID: GKI: iommu/io-pgtable-arm: LPAE related updates by vendor")
Change-Id: I674b9b520e705b8f8e63ba20ed76e64cb2fe0f47
Signed-off-by: Pratyush Brahma <quic_pbrahma@quicinc.com>
This commit is contained in:
Pratyush Brahma
@@ -670,9 +670,11 @@ static int arm_lpae_map_sg(struct io_pgtable_ops *ops, unsigned long iova,
|
|||||||
arm_lpae_iopte *ptep = ms.pgtable +
|
arm_lpae_iopte *ptep = ms.pgtable +
|
||||||
ARM_LPAE_LVL_IDX(iova, MAP_STATE_LVL,
|
ARM_LPAE_LVL_IDX(iova, MAP_STATE_LVL,
|
||||||
data);
|
data);
|
||||||
arm_lpae_init_pte(
|
ret = arm_lpae_init_pte(
|
||||||
data, iova, phys, prot, MAP_STATE_LVL,
|
data, iova, phys, prot, MAP_STATE_LVL,
|
||||||
ptep, ms.prev_pgtable, false);
|
ptep, ms.prev_pgtable, false);
|
||||||
|
if (ret)
|
||||||
|
goto out_err;
|
||||||
ms.num_pte++;
|
ms.num_pte++;
|
||||||
} else {
|
} else {
|
||||||
ret = __arm_lpae_map(data, iova, phys, pgsize,
|
ret = __arm_lpae_map(data, iova, phys, pgsize,
|
||||||
|
|||||||
Reference in New Issue
Block a user