Piteball
/
android_kernel_samsung_msm8976
mirror of https://github.com/team-infusion-developers/android_kernel_samsung_msm8976.git
1
1
Fork 0
Code Issues Projects Releases Wiki Activity

net: ipc_router: Do not allow change of default security rule 

Default security rule is freed while it is being used to check
security permission in ipcrtr send api. This results in use
after free case.

Default security rule should not be changed, removing the code
to change default rule from user space.

CRs-Fixed: 2591650
Change-Id: I08788102a0748b6bc72cb3c77b46de2d65ede91d
Signed-off-by: Deepak Kumar Singh <deesin@codeaurora.org>
This commit is contained in:
Deepak Kumar Singh 2020-02-05 15:53:02 +05:30 committed by L R
parent 26bf2356b5
commit 8290b69077
1 changed files with 8 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
net/ipc_router/ipc_router_security.c
View File

@ -1,4 +1,4 @@
/* Copyright (c) 2012-2014, The Linux Foundation. All rights reserved.
/* Copyright (c) 2012-2014,2020, The Linux Foundation. All rights reserved.
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License version 2 and
@ -101,7 +101,7 @@ EXPORT_SYMBOL(check_permissions);
int msm_ipc_config_sec_rules(void *arg)
{
struct config_sec_rules_args sec_rules_arg;
struct security_rule *rule, *temp_rule;
struct security_rule *rule;
int key;
size_t kgroup_info_sz;
int ret;
@ -117,6 +117,10 @@ int msm_ipc_config_sec_rules(void *arg)
if (ret)
return -EFAULT;
/* Default rule change from config util not allowed */
if (sec_rules_arg.service_id == ALL_SERVICE)
return -EINVAL;
if (sec_rules_arg.num_group_info <= 0)
return -EINVAL;
@ -174,21 +178,11 @@ int msm_ipc_config_sec_rules(void *arg)
key = rule->service_id & (SEC_RULES_HASH_SZ - 1);
down_write(&security_rules_lock_lha4);
if (rule->service_id == ALL_SERVICE) {
temp_rule = list_first_entry(&security_rules[key],
struct security_rule, list);
list_del(&temp_rule->list);
kfree(temp_rule->group_id);
kfree(temp_rule);
}
list_add_tail(&rule->list, &security_rules[key]);
up_write(&security_rules_lock_lha4);
if (rule->service_id == ALL_SERVICE)
msm_ipc_sync_default_sec_rule((void *)rule);
else
msm_ipc_sync_sec_rule(rule->service_id, rule->instance_id,
(void *)rule);
msm_ipc_sync_sec_rule(rule->service_id,
rule->instance_id, (void *)rule);
return 0;
}