From 8290b69077bf0b16701094561feba143040767bf Mon Sep 17 00:00:00 2001 From: Deepak Kumar Singh Date: Wed, 5 Feb 2020 15:53:02 +0530 Subject: [PATCH] net: ipc_router: Do not allow change of default security rule Default security rule is freed while it is being used to check security permission in ipcrtr send api. This results in use after free case. Default security rule should not be changed, removing the code to change default rule from user space. CRs-Fixed: 2591650 Change-Id: I08788102a0748b6bc72cb3c77b46de2d65ede91d Signed-off-by: Deepak Kumar Singh --- net/ipc_router/ipc_router_security.c | 22 ++++++++-------------- 1 file changed, 8 insertions(+), 14 deletions(-) diff --git a/net/ipc_router/ipc_router_security.c b/net/ipc_router/ipc_router_security.c index c7c532a23172..36763d1b44c7 100644 --- a/net/ipc_router/ipc_router_security.c +++ b/net/ipc_router/ipc_router_security.c @@ -1,4 +1,4 @@ -/* Copyright (c) 2012-2014, The Linux Foundation. All rights reserved. +/* Copyright (c) 2012-2014,2020, The Linux Foundation. All rights reserved. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 and @@ -101,7 +101,7 @@ EXPORT_SYMBOL(check_permissions); int msm_ipc_config_sec_rules(void *arg) { struct config_sec_rules_args sec_rules_arg; - struct security_rule *rule, *temp_rule; + struct security_rule *rule; int key; size_t kgroup_info_sz; int ret; @@ -117,6 +117,10 @@ int msm_ipc_config_sec_rules(void *arg) if (ret) return -EFAULT; + /* Default rule change from config util not allowed */ + if (sec_rules_arg.service_id == ALL_SERVICE) + return -EINVAL; + if (sec_rules_arg.num_group_info <= 0) return -EINVAL; @@ -174,21 +178,11 @@ int msm_ipc_config_sec_rules(void *arg) key = rule->service_id & (SEC_RULES_HASH_SZ - 1); down_write(&security_rules_lock_lha4); - if (rule->service_id == ALL_SERVICE) { - temp_rule = list_first_entry(&security_rules[key], - struct security_rule, list); - list_del(&temp_rule->list); - kfree(temp_rule->group_id); - kfree(temp_rule); - } list_add_tail(&rule->list, &security_rules[key]); up_write(&security_rules_lock_lha4); - if (rule->service_id == ALL_SERVICE) - msm_ipc_sync_default_sec_rule((void *)rule); - else - msm_ipc_sync_sec_rule(rule->service_id, rule->instance_id, - (void *)rule); + msm_ipc_sync_sec_rule(rule->service_id, + rule->instance_id, (void *)rule); return 0; }