A persistence map is expected to hold refs=2 during its creation.
However, the Fuzzy test can create a persistence map by configuring
a mismatch between attributes and flags using the KEEP MAP attribute
and FD NOMAP flags. This sets the map reference count to 1. The user
then calls fastrpc_internal_munmap_fd to free the map since it
doesn't check flags, which can cause a use-after-free (UAF) for the
file map and shared buffer. Add a check to restrict DMA handle
maps with invalid attributes.
Change-Id: I2f024ef99cc2a0487010504166e3af3433d5302d
Acked-by: Santosh <quic_ssakore@quicinc.com>
Signed-off-by: Abhinav Parihar <quic_parihar@quicinc.com>
Decrement and check the ref count of map
inside the lock. Otherwise, two threads may
free the same map.
Change-Id: I081b937bfd3e8da3e2480f062cad6966662994b5
Acked-by: Sharad Kumar <sharku@qti.qualcomm.com>
Signed-off-by: Abhinav Parihar <quic_parihar@quicinc.com>
Currently, the DSP updates header buffers with unused DMA handle fds.
In the put_args section, if any DMA handle FDs are present in the
header buffer, the corresponding map is freed. However, since the
header buffer is exposed to users in unsigned PD, users can update
invalid FDs. If this invalid FD matches with any FD that is already
in use, it could lead to a use-after-free (UAF) vulnerability.
As a solution,add DMA handle references for DMA FDs, and the map for
the FD will be freed only when a reference is found.
Acked-by: Om Deore <quic_odeore@quicinc.com>
Change-Id: I3c2614451f7b3717236708ee5e9b88f16f6e435d
Signed-off-by: Santosh <quic_ssakore@quicinc.com>
Currently, remote heap maps get added to the global list before the
fastrpc_internal_mmap function completes the mapping. Meanwhile, the
fastrpc_internal_munmap function accesses the map, starts unmapping, and
frees the map before the fastrpc_internal_mmap function completes,
resulting in a use-after-free (UAF) issue. Add the map to the list after
the fastrpc_internal_mmap function completes the mapping.
Change-Id: I73c536718f3228b7cbb7a19b76270e0dd3e32bd1
Acked-by: Abhishek Singh <abhishes@qti.qualcomm.com>
Signed-off-by: Santosh Sakore <quic_ssakore@quicinc.com>
Current subsystem state flag cannot define all state of the subsystem.
Different handling might be needed for different subsystem states.
Add multiple subsystem state support.
Change-Id: Id091dfded583c8cd7e95c0d306de6dd34b03485d
Signed-off-by: Abhinav Parihar <quic_parihar@quicinc.com>
Added reference count for contex map indicate memory under used
in remote call. And, this memory would not removed in internal
unmap to avoid UAF.
Change-Id: Ieb4ff6b298ff9c48953bc5b3539fdfe19a14b442
Acked-by: DEEPAK SANNAPAREDDY <sdeeredd@qti.qualcomm.com>
Signed-off-by: Vamsi Krishna Gattupalli <quic_vgattupa@quicinc.com>
Process init memory allowed to initialize only once
to fix possible improper acecss from remote processor.
Change-Id: Ic1a13738146fcf0d170abd76b50bdc6a75871755
Acked-by: Abhinav Parihar <parihar@qti.qualcomm.com>
Signed-off-by: Vamsi Krishna Gattupalli <quic_vgattupa@quicinc.com>
A check is introduced to restrict the double call of
hyp_assign_phys for the same address.
Change-Id: I0ac984af9fe456d317c7c2d99d6d1290f86830e8
Acked-by: Sandheep Balasubramanian <sandheep@qti.qualcomm.com>
Signed-off-by: Vamsi Krishna Gattupalli <quic_vgattupa@quicinc.com>
Add check for channel ID in fastrpc_buf_alloc to
fix out of bounds access.
Change-Id: I92f2717edcc91c19309589ce7c11c91c8129b71a
Acked-by: Abhinav Parihar <parihar@qti.qualcomm.com>
Signed-off-by: Vamsi Krishna Gattupalli <quic_vgattupa@quicinc.com>
Untrusted application can attach to guestOS and staticPD if it can
somehow make INIT IOCTL call with ATTACH flag. This is a potential
security issue as the untrusted application can crash guestOS or
staticPD. Restrict attach to guestOS or staticPD request if request
is being made using non-secure device node.
Change-Id: I322c7b242fd0baaf1c1bce2d83b992fecb0ca593
Acked-by: Ekansh Gupta <ekangupt@qti.qualcomm.com>
Signed-off-by: Vamsi Krishna Gattupalli <quic_vgattupa@quicinc.com>
Query for unsigned pd support on cDSP domain and update
the unsigned_support flag during fastrpc_init process.
Change-Id: I61f4c748ad08155f418422183acc8473a7b0e0a8
Signed-off-by: Vamsi Krishna Gattupalli <quic_vgattupa@quicinc.com>
Wait for shutdown to complete, before further unmapping
memory in release.
Change-Id: Ic574a3e851f99aa946b2e062fa7a752c64b9f2b2
Acked-by: Deepika Singh <dsi@qti.qualcomm.com>
Signed-off-by: Vamsi Krishna Gattupalli <quic_vgattupa@quicinc.com>
Do length check while mapping ion buffers to
avoid arbitrary physical memory read on DSP
which can lead to DOS.
Change-Id: I6334d4ceac795595aa3dc4bc71e6c736d2461c51
Signed-off-by: Vamsi Krishna Gattupalli <quic_vgattupa@quicinc.com>
Use lock to protect maps amongst multiple
threads to avoid race condition.
Change-Id: Ib0c83dd38ea8e5acb54a1478d10b02385c27ba31
Signed-off-by: Swathi K <quic_c_kataka@quicinc.com>
Added flag to indicate memory used
in process initialization. And, this memory
would not removed in internal unmap to avoid
UAF or double free.
Change-Id: Ie470fe58ac334421d186feb41fa67bd24bb5efea
Signed-off-by: prabha <prabha@codeaurora.org>
When attaching to audiopd on ADSP, allocate one
extra byte for the process name so that it is
null terminated when data is copied from file
pointer in the userspace.
Change-Id: I98ac64a4c16f44fa4fd0e09da1648b9d78d65a82
Signed-off-by: prabha <prabha@codeaurora.org>
Protect maps using map mutex as well as avoid
deadlock during SSR in case of legacy targets.
Change-Id: Ia972302a8830d501c40d06df79e7eb305327c5ad
Acked-by: Deepika Singh <dsi@qti.qualcomm.com>
Signed-off-by: Jeya R <jeyr@codeaurora.org>
Deadlock is happening because map_mutex and smd_mutex lock is
acquired before fastrpc_mmap_remove_ssr() call and inside again
in get_args() and fastrpc_invoke_send() respectively. Added
lock only to critical sections in need.
Change-Id: I900e44790ec0285b7b156542bf599092479dc864
Signed-off-by: Vamsi krishna Gattupalli <vgattupa@codeaurora.org>
Added flag to indicate memory used
in process initialization. And, this memory
would not removed in internal unmap to avoid
UAF or double free.
Change-Id: I99e8e4f94644c5d47b4863f89b308bd5de49c1d7
Acked-by: Krishnaiah Tadakamalla <ktadakam@qti.qualcomm.com>
Signed-off-by: Jeya R <jeyr@codeaurora.org>
Remove bad ioctl log as it can lead to flooding
in new ioctls scenarios which are not supported on
on kernel .
Change-Id: I548e606660c722f410c12a19cf71a4fc10ee6a22
Acked-by: Deepika Singh <dsi@qti.qualcomm.com>
Signed-off-by: Jeya R <jeyr@codeaurora.org>
Added extra checks to reject session request
when third party applications spawn signed PD.
Change-Id: I9d975cc29113ff651b543fbe765feea3b11fbe94
Acked-by: Krishnaiah Tadakamalla <ktadakam@qti.qualcomm.com>
Signed-off-by: Jeya R <jeyr@codeaurora.org>
Create local copy of current->comm to avoid the possibility of modification
in race condition.
Change-Id: Ie10f6577ed7edb9279a36039348e7a1ad25239f9
Acked-by: Nishant Chaubey <chaubey@qti.qualcomm.com>
Signed-off-by: Jeya R <jeyr@codeaurora.org>
Free DMA handle fd maps in case of error while creating
map for other handles.
Change-Id: Iae062bc958a58f38e4424fab88b451813478ae97
Acked-by: Deepika Singh <dsi@qti.qualcomm.com>
Signed-off-by: Vamsi krishna Gattupalli <vgattupa@codeaurora.org>
To check if DSP is supported or not, we make
fs call for subsystem device node. This node
is not accessible to untrusted applications.
Use subsystem status flag instead to avoid
permission issues and return proper error
in case subsystem is not up.
Change-Id: Ia19e31b899600e5d765c0a3582bdf9132c9b67bf
Acked-by: Ekansh Gupta <ekangupt@qti.qualcomm.com>
Signed-off-by: Vamsi krishna Gattupalli <vgattupa@codeaurora.org>
changes in fastrpc for porting kernel to 4.19.
Change-Id: I19bfa21914e6c6cb9c4c6e1c4c9a75bdb0594381
Signed-off-by: Akhil Manikoth Kallankandy <akhika@codeaurora.org>
Added a check to validate map before freeing it to avoid Use after
free scenario.
Change-Id: I484391ff7c55c0689530a928a2821ee5a1a0e10c
Signed-off-by: Jeya R <jeyr@codeaurora.org>
Adding a null pointer for sctx before dereferencing.
Change-Id: I1497eea2b9cb7bb75481246df47269796aff182d
Acked-by: Maitreyi Gupta <maitreyi@qti.qualcomm.com>
Signed-off-by: Jeya R <jeyr@codeaurora.org> Please enter the commit message for your changes. Lines starting
Add cid check before making PW awake request
to avoid out of bound scenario due to improper
array index.
Change-Id: I91335e17dbc1cb03467d50cc2367cadc9b3bd9c8
Acked-by: Ekansh Gupta <ekangupt@qti.qualcomm.com>
Signed-off-by: Jeya R <jeyr@codeaurora.org>
Enabled ram dump collection for CMA memory
that is used for remote heap and dynamic loading memory.
Change-Id: I07fe071ee90b39204822aee368b52b7e63b5600d
Acked-by: Krishnaiah Tadakamalla <ktadakam@qti.qualcomm.com>
Signed-off-by: Jeya R <jeyr@codeaurora.org>
Reject the session when third party applications
try to spawn signed PD and channel configured as secure.
Change-Id: Ic450a8c7dad430dfcdc4ae7354e29e63d9fae4a3
Acked-by: Krishnaiah Tadakamalla <ktadakam@qti.qualcomm.com>
Signed-off-by: Jeya R <jeyr@codeaurora.org>
Serialize kzalloc in fastrpc_set_process_info and prevent use
after free.
Change-Id: I02d62182a234ef40ce33165247fc578f6727d27a
Signed-off-by: Anirudh Raghavendra <araghave@codeaurora.org>
Remove the redundant check for static pd handle as pd up
variable also serves for the same purpose.It is sufficient
to check for ispdup state.
Change-Id: I0c42f9a5ac347cb774983544c12e46d9431aab93
Signed-off-by: Jeya R <jeyr@codeaurora.org>
Protect remote heap buffer list with spin lock while freeing
to avoid UAF in fastrpc_mmap_find() on a buffer that is freed
in fastrpc_mmap_free().
Change-Id: Ic3d5219898fcf23fb813eabe5fc2f187b397a472
Acked-by: Deepika Singh <dsi@qti.qualcomm.com>
Signed-off-by: Jeya R <jeyr@codeaurora.org>
When fd is zero, we set context fds to NULL. This will avoid
calling map create for context. Proper check is required
to avoid dereferencing of map and fd.
Change-Id: Id8d4b93d7d999e14ac1ebd8291137f799a73cf1a
Acked-by: Ekansh Gupta <ekangupt@qti.qualcomm.com>
Signed-off-by: Jeya R <jeyr@codeaurora.org>
For allocating memory from DMA we need to do a size check.
This validation is required to avoid any improper paging
request. We already have the range in which the size is
expected to be.
Change-Id: I9328c77704b712b0238815f8b410bd5b37036dcf
Acked-by: Ekansh Gupta <ekangupt@qti.qualcomm.com>
Signed-off-by: Jeya R <jeyr@codeaurora.org>
Current code doesn't clean up buffers and dma handles when failure
is seen in the remote invocation to DSP. This will end up leaking
buffers and also dma handles pointing to wrong memory in the fastrpc
kernel. Clean buffers and dma handles even when remote invocation to
DSP returns failure.
Change-Id: I23998a1825f14a4c97380e284626df18f5045ed8
Signed-off-by: Himateja Reddy <hmreddy@codeaurora.org>
Current mmap create does a map size check in one of the case
to avoid SMMU faults. There is a duplicate check for the same
and logs are not getting printed properly if map size is not
proper.
Change-Id: I8acd321b7204968b5edd9457dba07eddd893e1bf
Acked-by: Ekansh Gupta <ekangupt@qti.qualcomm.com>
Signed-off-by: Jeya R <jeyr@codeaurora.org>
Removed marking the static process is closed
in ADSP SSR call back. Any way, this is
handled during the PDR callback.
Change-Id: I4406ad7559ef5222e8d78b545dfde0168c513eae
Acked-by: Tadakamalla Krishnaiah <ktadakam@qti.qualcomm.com>
Signed-off-by: Mohammed Nayeem Ur Rahman <mohara@codeaurora.org>
Add check to restrict index underflow.This is to avoid
that it does not access invalid index.
Change-Id: Ib971033c5820ca4dab38ace3b106c7b1b42529e4
Acked-by: Gururaj Chalger <gchalger@qti.qualcomm.com>
Signed-off-by: Mohammed Nayeem Ur Rahman <mohara@codeaurora.org>
