Piteball
/
android_kernel_samsung_msm8226
mirror of https://github.com/S3NEO/android_kernel_samsung_msm8226.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

msm: adsprpc: restrict user apps from sending kernel RPC messages 

Verify that user applications are not using the kernel RPC message
handle to restrict them from directly attaching to guest OS on the
remote subsystem.

Bug: 129852114
Change-Id: Icfa114a12f2bebbe815eb9930027fded51f717fd
Acked-by: Thyagarajan Venkatanarayanan <venkatan@qti.qualcomm.com>
Signed-off-by: Tharun Kumar Merugu <mtharu@codeaurora.org>
Signed-off-by: Mohammed Nayeem Ur Rahman <mohara@codeaurora.org>
[haggertk: Backport to 3.4/msm8974]
CVE-2019-2308
Signed-off-by: Kevin F. Haggerty <haggertk@lineageos.org>
This commit is contained in:
Tharun Kumar Merugu 2019-02-02 01:22:47 +05:30 committed by Francescodario Cuzzocrea
parent 6abc33f381
commit 9fdf4873de
1 changed files with 16 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
drivers/char/adsprpc.c
View File

@ -1,5 +1,5 @@
/*
* Copyright (c) 2012-2014, 2018 The Linux Foundation. All rights reserved.
* Copyright (c) 2012-2019 The Linux Foundation. All rights reserved.
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License version 2 and
@ -45,6 +45,8 @@
#define BALIGN 32
#define NUM_CHANNELS 1
#define FASTRPC_STATIC_HANDLE_KERNEL (1)
#define LOCK_MMAP(kernel)\
do {\
if (!kernel)\
@ -969,6 +971,15 @@ static int fastrpc_internal_invoke(struct fastrpc_apps *me, uint32_t mode,
int interrupted = 0;
int err = 0;
if (!kernel) {
VERIFY(err, invoke->handle != FASTRPC_STATIC_HANDLE_KERNEL);
if (err) {
pr_err("adsprpc: ERROR: %s: user application %s trying to send a kernel RPC message to channel %d",
__func__, current->comm, cid);
goto bail;
}
}
if(!kernel) {
VERIFY(err, 0 == context_restore_interrupted(me, invokefd, cid, &ctx));
if (err)
@ -1049,7 +1060,7 @@ static int fastrpc_create_current_dsp_process(int cid)
tgid = current->tgid;
ra[0].buf.pv = &tgid;
ra[0].buf.len = sizeof(tgid);
ioctl.inv.handle = 1;
ioctl.inv.handle = FASTRPC_STATIC_HANDLE_KERNEL;
ioctl.inv.sc = REMOTE_SCALARS_MAKE(0, 1, 0);
ioctl.inv.pra = ra;
ioctl.fds = 0;
@ -1069,7 +1080,7 @@ static int fastrpc_release_current_dsp_process(int cid)
tgid = current->tgid;
ra[0].buf.pv = &tgid;
ra[0].buf.len = sizeof(tgid);
ioctl.inv.handle = 1;
ioctl.inv.handle = FASTRPC_STATIC_HANDLE_KERNEL;
ioctl.inv.sc = REMOTE_SCALARS_MAKE(1, 1, 0);
ioctl.inv.pra = ra;
ioctl.fds = 0;
@ -1109,7 +1120,7 @@ static int fastrpc_mmap_on_dsp(struct fastrpc_apps *me,
ra[2].buf.pv = &routargs;
ra[2].buf.len = sizeof(routargs);
ioctl.inv.handle = 1;
ioctl.inv.handle = FASTRPC_STATIC_HANDLE_KERNEL;
ioctl.inv.sc = REMOTE_SCALARS_MAKE(2, 2, 1);
ioctl.inv.pra = ra;
ioctl.fds = 0;
@ -1140,7 +1151,7 @@ static int fastrpc_munmap_on_dsp(struct fastrpc_apps *me,
ra[0].buf.pv = &inargs;
ra[0].buf.len = sizeof(inargs);
ioctl.inv.handle = 1;
ioctl.inv.handle = FASTRPC_STATIC_HANDLE_KERNEL;
ioctl.inv.sc = REMOTE_SCALARS_MAKE(3, 1, 0);
ioctl.inv.pra = ra;
ioctl.fds = 0;