Piteball
/
android_kernel_samsung_msm8976
mirror of https://github.com/team-infusion-developers/android_kernel_samsung_msm8976.git
1
1
Fork 0
Code Issues Projects Releases Wiki Activity

msm: adsprpc: restrict user apps from sending kernel RPC messages 

Verify that user applications are not using the kernel RPC message
handle to restrict them from directly attaching to guest OS on the
remote subsystem.

Change-Id: Icfa114a12f2bebbe815eb9930027fded51f717fd
Acked-by: Thyagarajan Venkatanarayanan <venkatan@qti.qualcomm.com>
Signed-off-by: Tharun Kumar Merugu <mtharu@codeaurora.org>
Signed-off-by: Mohammed Nayeem Ur Rahman <mohara@codeaurora.org>
[L R - Backport to 3.10]
Signed-off-by: L R <syphyr@gmail.com>
This commit is contained in:
Tharun Kumar Merugu 2019-02-02 01:22:47 +05:30 committed by syphyr
parent 28f692a931
commit 034c3d6156
1 changed files with 18 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

25
drivers/char/adsprpc.c
View File

@ -1,5 +1,5 @@
/*
* Copyright (c) 2012-2015,2017 The Linux Foundation. All rights reserved.
* Copyright (c) 2012-2019, The Linux Foundation. All rights reserved.
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License version 2 and
@ -60,6 +60,8 @@
#define IS_CACHE_ALIGNED(x) (((x) & ((L1_CACHE_BYTES)-1)) == 0)
#define FASTRPC_STATIC_HANDLE_KERNEL (1)
static inline uint64_t buf_page_start(uint64_t buf)
{
uint64_t start = (uint64_t) buf & PAGE_MASK;
@ -1121,6 +1123,15 @@ static int fastrpc_internal_invoke(struct fastrpc_file *fl, uint32_t mode,
int interrupted = 0;
int err = 0;
if (!kernel) {
VERIFY(err, invoke->handle != FASTRPC_STATIC_HANDLE_KERNEL);
if (err) {
pr_err("adsprpc: ERROR: %s: user application %s trying to send a kernel RPC message to channel %d",
__func__, current->comm, cid);
goto bail;
}
}
if (!kernel) {
VERIFY(err, 0 == context_restore_interrupted(fl, invokefd,
&ctx));
@ -1186,7 +1197,7 @@ static int fastrpc_init_process(struct fastrpc_file *fl,
int tgid = current->tgid;
ra[0].buf.pv = (void *)&tgid;
ra[0].buf.len = sizeof(tgid);
ioctl.inv.handle = 1;
ioctl.inv.handle = FASTRPC_STATIC_HANDLE_KERNEL;
ioctl.inv.sc = REMOTE_SCALARS_MAKE(0, 1, 0);
ioctl.inv.pra = ra;
ioctl.fds = NULL;
@ -1236,7 +1247,7 @@ static int fastrpc_init_process(struct fastrpc_file *fl,
ra[3].buf.len = 1 * sizeof(*pages);
fds[3] = 0;
ioctl.inv.handle = 1;
ioctl.inv.handle = FASTRPC_STATIC_HANDLE_KERNEL;
ioctl.inv.sc = REMOTE_SCALARS_MAKE(6, 4, 0);
ioctl.inv.pra = ra;
ioctl.fds = fds;
@ -1265,7 +1276,7 @@ static int fastrpc_release_current_dsp_process(struct fastrpc_file *fl)
tgid = fl->tgid;
ra[0].buf.pv = (void *)&tgid;
ra[0].buf.len = sizeof(tgid);
ioctl.inv.handle = 1;
ioctl.inv.handle = FASTRPC_STATIC_HANDLE_KERNEL;
ioctl.inv.sc = REMOTE_SCALARS_MAKE(1, 1, 0);
ioctl.inv.pra = ra;
ioctl.fds = NULL;
@ -1308,7 +1319,7 @@ static int fastrpc_mmap_on_dsp(struct fastrpc_file *fl, uint32_t flags,
ra[2].buf.pv = (void *)&routargs;
ra[2].buf.len = sizeof(routargs);
ioctl.inv.handle = 1;
ioctl.inv.handle = FASTRPC_STATIC_HANDLE_KERNEL;
if (fl->apps->compat)
ioctl.inv.sc = REMOTE_SCALARS_MAKE(4, 2, 1);
else
@ -1348,7 +1359,7 @@ static int fastrpc_munmap_on_dsp_rh(struct fastrpc_file *fl,
ra[0].buf.pv = (void *)&routargs;
ra[0].buf.len = sizeof(routargs);
ioctl.inv.handle = 1;
ioctl.inv.handle = FASTRPC_STATIC_HANDLE_KERNEL;
ioctl.inv.sc = REMOTE_SCALARS_MAKE(7, 0, 1);
ioctl.inv.pra = ra;
ioctl.fds = NULL;
@ -1392,7 +1403,7 @@ static int fastrpc_munmap_on_dsp(struct fastrpc_file *fl,
ra[0].buf.pv = (void *)&inargs;
ra[0].buf.len = sizeof(inargs);
ioctl.inv.handle = 1;
ioctl.inv.handle = FASTRPC_STATIC_HANDLE_KERNEL;
if (fl->apps->compat)
ioctl.inv.sc = REMOTE_SCALARS_MAKE(5, 1, 0);
else