mirror of
https://github.com/Divested-Mobile/DivestOS-Build.git
synced 2025-01-25 14:56:12 -05:00
1027 lines
34 KiB
Diff
1027 lines
34 KiB
Diff
|
From b518b33d4b7da7df5a0348a97ffb4f35be819937 Mon Sep 17 00:00:00 2001
|
||
|
From: Skylar Chang <chiaweic@codeaurora.org>
|
||
|
Date: Fri, 8 Jul 2016 16:20:33 -0700
|
||
|
Subject: msm: ipa: fix potential race condition ioctls
|
||
|
|
||
|
There are potential race condition ioctls in
|
||
|
the IPA driver when it copies the actual
|
||
|
arguments from the user-space memory to the
|
||
|
IPA-driver. The fix is to add check on the 2nd
|
||
|
copy to make sure the same payload size is copied
|
||
|
to the pre-allocated kernel memory as in during
|
||
|
the 1st copy.
|
||
|
|
||
|
Change-Id: I5a440f89153518507acdf5dad42625503732e59a
|
||
|
Signed-off-by: Skylar Chang <chiaweic@codeaurora.org>
|
||
|
---
|
||
|
drivers/platform/msm/ipa/ipa_v2/ipa.c | 226 +++++++++++++++++++++++++-----
|
||
|
drivers/platform/msm/ipa/ipa_v3/ipa.c | 257 +++++++++++++++++++++++++++++-----
|
||
|
2 files changed, 411 insertions(+), 72 deletions(-)
|
||
|
|
||
|
diff --git a/drivers/platform/msm/ipa/ipa_v2/ipa.c b/drivers/platform/msm/ipa/ipa_v2/ipa.c
|
||
|
index 07b934f..72c9e8e 100644
|
||
|
--- a/drivers/platform/msm/ipa/ipa_v2/ipa.c
|
||
|
+++ b/drivers/platform/msm/ipa/ipa_v2/ipa.c
|
||
|
@@ -575,6 +575,7 @@ static long ipa_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
|
||
|
struct ipa_ioc_v4_nat_del nat_del;
|
||
|
struct ipa_ioc_rm_dependency rm_depend;
|
||
|
size_t sz;
|
||
|
+ int pre_entry;
|
||
|
|
||
|
IPADBG("cmd=%x nr=%d\n", cmd, _IOC_NR(cmd));
|
||
|
|
||
|
@@ -623,11 +624,11 @@ static long ipa_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
|
||
|
retval = -EFAULT;
|
||
|
break;
|
||
|
}
|
||
|
-
|
||
|
+ pre_entry =
|
||
|
+ ((struct ipa_ioc_nat_dma_cmd *)header)->entries;
|
||
|
pyld_sz =
|
||
|
sizeof(struct ipa_ioc_nat_dma_cmd) +
|
||
|
- ((struct ipa_ioc_nat_dma_cmd *)header)->entries *
|
||
|
- sizeof(struct ipa_ioc_nat_dma_one);
|
||
|
+ pre_entry * sizeof(struct ipa_ioc_nat_dma_one);
|
||
|
param = kzalloc(pyld_sz, GFP_KERNEL);
|
||
|
if (!param) {
|
||
|
retval = -ENOMEM;
|
||
|
@@ -638,7 +639,15 @@ static long ipa_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
|
||
|
retval = -EFAULT;
|
||
|
break;
|
||
|
}
|
||
|
-
|
||
|
+ /* add check in case user-space module compromised */
|
||
|
+ if (unlikely(((struct ipa_ioc_nat_dma_cmd *)param)->entries
|
||
|
+ != pre_entry)) {
|
||
|
+ IPAERR(" prevent memory corruption(%d not match %d)\n",
|
||
|
+ ((struct ipa_ioc_nat_dma_cmd *)param)->entries,
|
||
|
+ pre_entry);
|
||
|
+ retval = -EINVAL;
|
||
|
+ break;
|
||
|
+ }
|
||
|
if (ipa2_nat_dma_cmd((struct ipa_ioc_nat_dma_cmd *)param)) {
|
||
|
retval = -EFAULT;
|
||
|
break;
|
||
|
@@ -663,10 +672,11 @@ static long ipa_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
|
||
|
retval = -EFAULT;
|
||
|
break;
|
||
|
}
|
||
|
+ pre_entry =
|
||
|
+ ((struct ipa_ioc_add_hdr *)header)->num_hdrs;
|
||
|
pyld_sz =
|
||
|
sizeof(struct ipa_ioc_add_hdr) +
|
||
|
- ((struct ipa_ioc_add_hdr *)header)->num_hdrs *
|
||
|
- sizeof(struct ipa_hdr_add);
|
||
|
+ pre_entry * sizeof(struct ipa_hdr_add);
|
||
|
param = kzalloc(pyld_sz, GFP_KERNEL);
|
||
|
if (!param) {
|
||
|
retval = -ENOMEM;
|
||
|
@@ -676,6 +686,15 @@ static long ipa_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
|
||
|
retval = -EFAULT;
|
||
|
break;
|
||
|
}
|
||
|
+ /* add check in case user-space module compromised */
|
||
|
+ if (unlikely(((struct ipa_ioc_add_hdr *)param)->num_hdrs
|
||
|
+ != pre_entry)) {
|
||
|
+ IPAERR(" prevent memory corruption(%d not match %d)\n",
|
||
|
+ ((struct ipa_ioc_add_hdr *)param)->num_hdrs,
|
||
|
+ pre_entry);
|
||
|
+ retval = -EINVAL;
|
||
|
+ break;
|
||
|
+ }
|
||
|
if (ipa2_add_hdr((struct ipa_ioc_add_hdr *)param)) {
|
||
|
retval = -EFAULT;
|
||
|
break;
|
||
|
@@ -692,10 +711,11 @@ static long ipa_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
|
||
|
retval = -EFAULT;
|
||
|
break;
|
||
|
}
|
||
|
+ pre_entry =
|
||
|
+ ((struct ipa_ioc_del_hdr *)header)->num_hdls;
|
||
|
pyld_sz =
|
||
|
sizeof(struct ipa_ioc_del_hdr) +
|
||
|
- ((struct ipa_ioc_del_hdr *)header)->num_hdls *
|
||
|
- sizeof(struct ipa_hdr_del);
|
||
|
+ pre_entry * sizeof(struct ipa_hdr_del);
|
||
|
param = kzalloc(pyld_sz, GFP_KERNEL);
|
||
|
if (!param) {
|
||
|
retval = -ENOMEM;
|
||
|
@@ -705,6 +725,15 @@ static long ipa_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
|
||
|
retval = -EFAULT;
|
||
|
break;
|
||
|
}
|
||
|
+ /* add check in case user-space module compromised */
|
||
|
+ if (unlikely(((struct ipa_ioc_del_hdr *)param)->num_hdls
|
||
|
+ != pre_entry)) {
|
||
|
+ IPAERR(" prevent memory corruption(%d not match %d)\n",
|
||
|
+ ((struct ipa_ioc_del_hdr *)param)->num_hdls,
|
||
|
+ pre_entry);
|
||
|
+ retval = -EINVAL;
|
||
|
+ break;
|
||
|
+ }
|
||
|
if (ipa2_del_hdr((struct ipa_ioc_del_hdr *)param)) {
|
||
|
retval = -EFAULT;
|
||
|
break;
|
||
|
@@ -721,10 +750,11 @@ static long ipa_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
|
||
|
retval = -EFAULT;
|
||
|
break;
|
||
|
}
|
||
|
+ pre_entry =
|
||
|
+ ((struct ipa_ioc_add_rt_rule *)header)->num_rules;
|
||
|
pyld_sz =
|
||
|
sizeof(struct ipa_ioc_add_rt_rule) +
|
||
|
- ((struct ipa_ioc_add_rt_rule *)header)->num_rules *
|
||
|
- sizeof(struct ipa_rt_rule_add);
|
||
|
+ pre_entry * sizeof(struct ipa_rt_rule_add);
|
||
|
param = kzalloc(pyld_sz, GFP_KERNEL);
|
||
|
if (!param) {
|
||
|
retval = -ENOMEM;
|
||
|
@@ -734,6 +764,16 @@ static long ipa_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
|
||
|
retval = -EFAULT;
|
||
|
break;
|
||
|
}
|
||
|
+ /* add check in case user-space module compromised */
|
||
|
+ if (unlikely(((struct ipa_ioc_add_rt_rule *)param)->num_rules
|
||
|
+ != pre_entry)) {
|
||
|
+ IPAERR(" prevent memory corruption(%d not match %d)\n",
|
||
|
+ ((struct ipa_ioc_add_rt_rule *)param)->
|
||
|
+ num_rules,
|
||
|
+ pre_entry);
|
||
|
+ retval = -EINVAL;
|
||
|
+ break;
|
||
|
+ }
|
||
|
if (ipa2_add_rt_rule((struct ipa_ioc_add_rt_rule *)param)) {
|
||
|
retval = -EFAULT;
|
||
|
break;
|
||
|
@@ -750,10 +790,11 @@ static long ipa_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
|
||
|
retval = -EFAULT;
|
||
|
break;
|
||
|
}
|
||
|
+ pre_entry =
|
||
|
+ ((struct ipa_ioc_mdfy_rt_rule *)header)->num_rules;
|
||
|
pyld_sz =
|
||
|
sizeof(struct ipa_ioc_mdfy_rt_rule) +
|
||
|
- ((struct ipa_ioc_mdfy_rt_rule *)header)->num_rules *
|
||
|
- sizeof(struct ipa_rt_rule_mdfy);
|
||
|
+ pre_entry * sizeof(struct ipa_rt_rule_mdfy);
|
||
|
param = kzalloc(pyld_sz, GFP_KERNEL);
|
||
|
if (!param) {
|
||
|
retval = -ENOMEM;
|
||
|
@@ -763,6 +804,16 @@ static long ipa_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
|
||
|
retval = -EFAULT;
|
||
|
break;
|
||
|
}
|
||
|
+ /* add check in case user-space module compromised */
|
||
|
+ if (unlikely(((struct ipa_ioc_mdfy_rt_rule *)param)->num_rules
|
||
|
+ != pre_entry)) {
|
||
|
+ IPAERR(" prevent memory corruption(%d not match %d)\n",
|
||
|
+ ((struct ipa_ioc_mdfy_rt_rule *)param)->
|
||
|
+ num_rules,
|
||
|
+ pre_entry);
|
||
|
+ retval = -EINVAL;
|
||
|
+ break;
|
||
|
+ }
|
||
|
if (ipa2_mdfy_rt_rule((struct ipa_ioc_mdfy_rt_rule *)param)) {
|
||
|
retval = -EFAULT;
|
||
|
break;
|
||
|
@@ -779,10 +830,11 @@ static long ipa_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
|
||
|
retval = -EFAULT;
|
||
|
break;
|
||
|
}
|
||
|
+ pre_entry =
|
||
|
+ ((struct ipa_ioc_del_rt_rule *)header)->num_hdls;
|
||
|
pyld_sz =
|
||
|
sizeof(struct ipa_ioc_del_rt_rule) +
|
||
|
- ((struct ipa_ioc_del_rt_rule *)header)->num_hdls *
|
||
|
- sizeof(struct ipa_rt_rule_del);
|
||
|
+ pre_entry * sizeof(struct ipa_rt_rule_del);
|
||
|
param = kzalloc(pyld_sz, GFP_KERNEL);
|
||
|
if (!param) {
|
||
|
retval = -ENOMEM;
|
||
|
@@ -792,6 +844,15 @@ static long ipa_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
|
||
|
retval = -EFAULT;
|
||
|
break;
|
||
|
}
|
||
|
+ /* add check in case user-space module compromised */
|
||
|
+ if (unlikely(((struct ipa_ioc_del_rt_rule *)param)->num_hdls
|
||
|
+ != pre_entry)) {
|
||
|
+ IPAERR(" prevent memory corruption(%d not match %d)\n",
|
||
|
+ ((struct ipa_ioc_del_rt_rule *)param)->num_hdls,
|
||
|
+ pre_entry);
|
||
|
+ retval = -EINVAL;
|
||
|
+ break;
|
||
|
+ }
|
||
|
if (ipa2_del_rt_rule((struct ipa_ioc_del_rt_rule *)param)) {
|
||
|
retval = -EFAULT;
|
||
|
break;
|
||
|
@@ -808,10 +869,11 @@ static long ipa_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
|
||
|
retval = -EFAULT;
|
||
|
break;
|
||
|
}
|
||
|
+ pre_entry =
|
||
|
+ ((struct ipa_ioc_add_flt_rule *)header)->num_rules;
|
||
|
pyld_sz =
|
||
|
sizeof(struct ipa_ioc_add_flt_rule) +
|
||
|
- ((struct ipa_ioc_add_flt_rule *)header)->num_rules *
|
||
|
- sizeof(struct ipa_flt_rule_add);
|
||
|
+ pre_entry * sizeof(struct ipa_flt_rule_add);
|
||
|
param = kzalloc(pyld_sz, GFP_KERNEL);
|
||
|
if (!param) {
|
||
|
retval = -ENOMEM;
|
||
|
@@ -821,6 +883,16 @@ static long ipa_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
|
||
|
retval = -EFAULT;
|
||
|
break;
|
||
|
}
|
||
|
+ /* add check in case user-space module compromised */
|
||
|
+ if (unlikely(((struct ipa_ioc_add_flt_rule *)param)->num_rules
|
||
|
+ != pre_entry)) {
|
||
|
+ IPAERR(" prevent memory corruption(%d not match %d)\n",
|
||
|
+ ((struct ipa_ioc_add_flt_rule *)param)->
|
||
|
+ num_rules,
|
||
|
+ pre_entry);
|
||
|
+ retval = -EINVAL;
|
||
|
+ break;
|
||
|
+ }
|
||
|
if (ipa2_add_flt_rule((struct ipa_ioc_add_flt_rule *)param)) {
|
||
|
retval = -EFAULT;
|
||
|
break;
|
||
|
@@ -837,10 +909,11 @@ static long ipa_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
|
||
|
retval = -EFAULT;
|
||
|
break;
|
||
|
}
|
||
|
+ pre_entry =
|
||
|
+ ((struct ipa_ioc_del_flt_rule *)header)->num_hdls;
|
||
|
pyld_sz =
|
||
|
sizeof(struct ipa_ioc_del_flt_rule) +
|
||
|
- ((struct ipa_ioc_del_flt_rule *)header)->num_hdls *
|
||
|
- sizeof(struct ipa_flt_rule_del);
|
||
|
+ pre_entry * sizeof(struct ipa_flt_rule_del);
|
||
|
param = kzalloc(pyld_sz, GFP_KERNEL);
|
||
|
if (!param) {
|
||
|
retval = -ENOMEM;
|
||
|
@@ -850,6 +923,16 @@ static long ipa_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
|
||
|
retval = -EFAULT;
|
||
|
break;
|
||
|
}
|
||
|
+ /* add check in case user-space module compromised */
|
||
|
+ if (unlikely(((struct ipa_ioc_del_flt_rule *)param)->num_hdls
|
||
|
+ != pre_entry)) {
|
||
|
+ IPAERR(" prevent memory corruption(%d not match %d)\n",
|
||
|
+ ((struct ipa_ioc_del_flt_rule *)param)->
|
||
|
+ num_hdls,
|
||
|
+ pre_entry);
|
||
|
+ retval = -EINVAL;
|
||
|
+ break;
|
||
|
+ }
|
||
|
if (ipa2_del_flt_rule((struct ipa_ioc_del_flt_rule *)param)) {
|
||
|
retval = -EFAULT;
|
||
|
break;
|
||
|
@@ -866,10 +949,11 @@ static long ipa_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
|
||
|
retval = -EFAULT;
|
||
|
break;
|
||
|
}
|
||
|
+ pre_entry =
|
||
|
+ ((struct ipa_ioc_mdfy_flt_rule *)header)->num_rules;
|
||
|
pyld_sz =
|
||
|
sizeof(struct ipa_ioc_mdfy_flt_rule) +
|
||
|
- ((struct ipa_ioc_mdfy_flt_rule *)header)->num_rules *
|
||
|
- sizeof(struct ipa_flt_rule_mdfy);
|
||
|
+ pre_entry * sizeof(struct ipa_flt_rule_mdfy);
|
||
|
param = kzalloc(pyld_sz, GFP_KERNEL);
|
||
|
if (!param) {
|
||
|
retval = -ENOMEM;
|
||
|
@@ -879,6 +963,16 @@ static long ipa_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
|
||
|
retval = -EFAULT;
|
||
|
break;
|
||
|
}
|
||
|
+ /* add check in case user-space module compromised */
|
||
|
+ if (unlikely(((struct ipa_ioc_mdfy_flt_rule *)param)->num_rules
|
||
|
+ != pre_entry)) {
|
||
|
+ IPAERR(" prevent memory corruption(%d not match %d)\n",
|
||
|
+ ((struct ipa_ioc_mdfy_flt_rule *)param)->
|
||
|
+ num_rules,
|
||
|
+ pre_entry);
|
||
|
+ retval = -EINVAL;
|
||
|
+ break;
|
||
|
+ }
|
||
|
if (ipa2_mdfy_flt_rule((struct ipa_ioc_mdfy_flt_rule *)param)) {
|
||
|
retval = -EFAULT;
|
||
|
break;
|
||
|
@@ -992,9 +1086,10 @@ static long ipa_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
|
||
|
retval = -EFAULT;
|
||
|
break;
|
||
|
}
|
||
|
-
|
||
|
- pyld_sz = sz + ((struct ipa_ioc_query_intf_tx_props *)
|
||
|
- header)->num_tx_props *
|
||
|
+ pre_entry =
|
||
|
+ ((struct ipa_ioc_query_intf_tx_props *)
|
||
|
+ header)->num_tx_props;
|
||
|
+ pyld_sz = sz + pre_entry *
|
||
|
sizeof(struct ipa_ioc_tx_intf_prop);
|
||
|
param = kzalloc(pyld_sz, GFP_KERNEL);
|
||
|
if (!param) {
|
||
|
@@ -1005,6 +1100,16 @@ static long ipa_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
|
||
|
retval = -EFAULT;
|
||
|
break;
|
||
|
}
|
||
|
+ /* add check in case user-space module compromised */
|
||
|
+ if (unlikely(((struct ipa_ioc_query_intf_tx_props *)
|
||
|
+ param)->num_tx_props
|
||
|
+ != pre_entry)) {
|
||
|
+ IPAERR(" prevent memory corruption(%d not match %d)\n",
|
||
|
+ ((struct ipa_ioc_query_intf_tx_props *)
|
||
|
+ param)->num_tx_props, pre_entry);
|
||
|
+ retval = -EINVAL;
|
||
|
+ break;
|
||
|
+ }
|
||
|
if (ipa_query_intf_tx_props(
|
||
|
(struct ipa_ioc_query_intf_tx_props *)param)) {
|
||
|
retval = -1;
|
||
|
@@ -1027,9 +1132,10 @@ static long ipa_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
|
||
|
retval = -EFAULT;
|
||
|
break;
|
||
|
}
|
||
|
-
|
||
|
- pyld_sz = sz + ((struct ipa_ioc_query_intf_rx_props *)
|
||
|
- header)->num_rx_props *
|
||
|
+ pre_entry =
|
||
|
+ ((struct ipa_ioc_query_intf_rx_props *)
|
||
|
+ header)->num_rx_props;
|
||
|
+ pyld_sz = sz + pre_entry *
|
||
|
sizeof(struct ipa_ioc_rx_intf_prop);
|
||
|
param = kzalloc(pyld_sz, GFP_KERNEL);
|
||
|
if (!param) {
|
||
|
@@ -1040,6 +1146,15 @@ static long ipa_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
|
||
|
retval = -EFAULT;
|
||
|
break;
|
||
|
}
|
||
|
+ /* add check in case user-space module compromised */
|
||
|
+ if (unlikely(((struct ipa_ioc_query_intf_rx_props *)
|
||
|
+ param)->num_rx_props != pre_entry)) {
|
||
|
+ IPAERR(" prevent memory corruption(%d not match %d)\n",
|
||
|
+ ((struct ipa_ioc_query_intf_rx_props *)
|
||
|
+ param)->num_rx_props, pre_entry);
|
||
|
+ retval = -EINVAL;
|
||
|
+ break;
|
||
|
+ }
|
||
|
if (ipa_query_intf_rx_props(
|
||
|
(struct ipa_ioc_query_intf_rx_props *)param)) {
|
||
|
retval = -1;
|
||
|
@@ -1062,9 +1177,10 @@ static long ipa_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
|
||
|
retval = -EFAULT;
|
||
|
break;
|
||
|
}
|
||
|
-
|
||
|
- pyld_sz = sz + ((struct ipa_ioc_query_intf_ext_props *)
|
||
|
- header)->num_ext_props *
|
||
|
+ pre_entry =
|
||
|
+ ((struct ipa_ioc_query_intf_ext_props *)
|
||
|
+ header)->num_ext_props;
|
||
|
+ pyld_sz = sz + pre_entry *
|
||
|
sizeof(struct ipa_ioc_ext_intf_prop);
|
||
|
param = kzalloc(pyld_sz, GFP_KERNEL);
|
||
|
if (!param) {
|
||
|
@@ -1075,6 +1191,15 @@ static long ipa_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
|
||
|
retval = -EFAULT;
|
||
|
break;
|
||
|
}
|
||
|
+ /* add check in case user-space module compromised */
|
||
|
+ if (unlikely(((struct ipa_ioc_query_intf_ext_props *)
|
||
|
+ param)->num_ext_props != pre_entry)) {
|
||
|
+ IPAERR(" prevent memory corruption(%d not match %d)\n",
|
||
|
+ ((struct ipa_ioc_query_intf_ext_props *)
|
||
|
+ param)->num_ext_props, pre_entry);
|
||
|
+ retval = -EINVAL;
|
||
|
+ break;
|
||
|
+ }
|
||
|
if (ipa_query_intf_ext_props(
|
||
|
(struct ipa_ioc_query_intf_ext_props *)param)) {
|
||
|
retval = -1;
|
||
|
@@ -1091,8 +1216,10 @@ static long ipa_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
|
||
|
retval = -EFAULT;
|
||
|
break;
|
||
|
}
|
||
|
- pyld_sz = sizeof(struct ipa_msg_meta) +
|
||
|
+ pre_entry =
|
||
|
((struct ipa_msg_meta *)header)->msg_len;
|
||
|
+ pyld_sz = sizeof(struct ipa_msg_meta) +
|
||
|
+ pre_entry;
|
||
|
param = kzalloc(pyld_sz, GFP_KERNEL);
|
||
|
if (!param) {
|
||
|
retval = -ENOMEM;
|
||
|
@@ -1102,6 +1229,15 @@ static long ipa_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
|
||
|
retval = -EFAULT;
|
||
|
break;
|
||
|
}
|
||
|
+ /* add check in case user-space module compromised */
|
||
|
+ if (unlikely(((struct ipa_msg_meta *)param)->msg_len
|
||
|
+ != pre_entry)) {
|
||
|
+ IPAERR(" prevent memory corruption(%d not match %d)\n",
|
||
|
+ ((struct ipa_msg_meta *)param)->msg_len,
|
||
|
+ pre_entry);
|
||
|
+ retval = -EINVAL;
|
||
|
+ break;
|
||
|
+ }
|
||
|
if (ipa_pull_msg((struct ipa_msg_meta *)param,
|
||
|
(char *)param + sizeof(struct ipa_msg_meta),
|
||
|
((struct ipa_msg_meta *)param)->msg_len) !=
|
||
|
@@ -1218,10 +1354,12 @@ static long ipa_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
|
||
|
retval = -EFAULT;
|
||
|
break;
|
||
|
}
|
||
|
+ pre_entry =
|
||
|
+ ((struct ipa_ioc_add_hdr_proc_ctx *)
|
||
|
+ header)->num_proc_ctxs;
|
||
|
pyld_sz =
|
||
|
sizeof(struct ipa_ioc_add_hdr_proc_ctx) +
|
||
|
- ((struct ipa_ioc_add_hdr_proc_ctx *)header)->num_proc_ctxs *
|
||
|
- sizeof(struct ipa_hdr_proc_ctx_add);
|
||
|
+ pre_entry * sizeof(struct ipa_hdr_proc_ctx_add);
|
||
|
param = kzalloc(pyld_sz, GFP_KERNEL);
|
||
|
if (!param) {
|
||
|
retval = -ENOMEM;
|
||
|
@@ -1231,6 +1369,15 @@ static long ipa_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
|
||
|
retval = -EFAULT;
|
||
|
break;
|
||
|
}
|
||
|
+ /* add check in case user-space module compromised */
|
||
|
+ if (unlikely(((struct ipa_ioc_add_hdr_proc_ctx *)
|
||
|
+ param)->num_proc_ctxs != pre_entry)) {
|
||
|
+ IPAERR(" prevent memory corruption(%d not match %d)\n",
|
||
|
+ ((struct ipa_ioc_add_hdr_proc_ctx *)
|
||
|
+ param)->num_proc_ctxs, pre_entry);
|
||
|
+ retval = -EINVAL;
|
||
|
+ break;
|
||
|
+ }
|
||
|
if (ipa2_add_hdr_proc_ctx(
|
||
|
(struct ipa_ioc_add_hdr_proc_ctx *)param)) {
|
||
|
retval = -EFAULT;
|
||
|
@@ -1247,10 +1394,11 @@ static long ipa_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
|
||
|
retval = -EFAULT;
|
||
|
break;
|
||
|
}
|
||
|
+ pre_entry =
|
||
|
+ ((struct ipa_ioc_del_hdr_proc_ctx *)header)->num_hdls;
|
||
|
pyld_sz =
|
||
|
sizeof(struct ipa_ioc_del_hdr_proc_ctx) +
|
||
|
- ((struct ipa_ioc_del_hdr_proc_ctx *)header)->num_hdls *
|
||
|
- sizeof(struct ipa_hdr_proc_ctx_del);
|
||
|
+ pre_entry * sizeof(struct ipa_hdr_proc_ctx_del);
|
||
|
param = kzalloc(pyld_sz, GFP_KERNEL);
|
||
|
if (!param) {
|
||
|
retval = -ENOMEM;
|
||
|
@@ -1260,6 +1408,16 @@ static long ipa_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
|
||
|
retval = -EFAULT;
|
||
|
break;
|
||
|
}
|
||
|
+ /* add check in case user-space module compromised */
|
||
|
+ if (unlikely(((struct ipa_ioc_del_hdr_proc_ctx *)
|
||
|
+ param)->num_hdls != pre_entry)) {
|
||
|
+ IPAERR(" prevent memory corruption( %d not match %d)\n",
|
||
|
+ ((struct ipa_ioc_del_hdr_proc_ctx *)param)->
|
||
|
+ num_hdls,
|
||
|
+ pre_entry);
|
||
|
+ retval = -EINVAL;
|
||
|
+ break;
|
||
|
+ }
|
||
|
if (ipa2_del_hdr_proc_ctx(
|
||
|
(struct ipa_ioc_del_hdr_proc_ctx *)param)) {
|
||
|
retval = -EFAULT;
|
||
|
diff --git a/drivers/platform/msm/ipa/ipa_v3/ipa.c b/drivers/platform/msm/ipa/ipa_v3/ipa.c
|
||
|
index 041b461..d7e98eb 100644
|
||
|
--- a/drivers/platform/msm/ipa/ipa_v3/ipa.c
|
||
|
+++ b/drivers/platform/msm/ipa/ipa_v3/ipa.c
|
||
|
@@ -592,6 +592,7 @@ static long ipa3_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
|
||
|
struct ipa_ioc_v4_nat_del nat_del;
|
||
|
struct ipa_ioc_rm_dependency rm_depend;
|
||
|
size_t sz;
|
||
|
+ int pre_entry;
|
||
|
|
||
|
IPADBG("cmd=%x nr=%d\n", cmd, _IOC_NR(cmd));
|
||
|
|
||
|
@@ -645,11 +646,11 @@ static long ipa3_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
|
||
|
retval = -EFAULT;
|
||
|
break;
|
||
|
}
|
||
|
-
|
||
|
+ pre_entry =
|
||
|
+ ((struct ipa_ioc_nat_dma_cmd *)header)->entries;
|
||
|
pyld_sz =
|
||
|
sizeof(struct ipa_ioc_nat_dma_cmd) +
|
||
|
- ((struct ipa_ioc_nat_dma_cmd *)header)->entries *
|
||
|
- sizeof(struct ipa_ioc_nat_dma_one);
|
||
|
+ pre_entry * sizeof(struct ipa_ioc_nat_dma_one);
|
||
|
param = kzalloc(pyld_sz, GFP_KERNEL);
|
||
|
if (!param) {
|
||
|
retval = -ENOMEM;
|
||
|
@@ -660,7 +661,15 @@ static long ipa3_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
|
||
|
retval = -EFAULT;
|
||
|
break;
|
||
|
}
|
||
|
-
|
||
|
+ /* add check in case user-space module compromised */
|
||
|
+ if (unlikely(((struct ipa_ioc_nat_dma_cmd *)param)->entries
|
||
|
+ != pre_entry)) {
|
||
|
+ IPAERR(" prevent memory corruption(%d not match %d)\n",
|
||
|
+ ((struct ipa_ioc_nat_dma_cmd *)param)->entries,
|
||
|
+ pre_entry);
|
||
|
+ retval = -EINVAL;
|
||
|
+ break;
|
||
|
+ }
|
||
|
if (ipa3_nat_dma_cmd((struct ipa_ioc_nat_dma_cmd *)param)) {
|
||
|
retval = -EFAULT;
|
||
|
break;
|
||
|
@@ -685,10 +694,11 @@ static long ipa3_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
|
||
|
retval = -EFAULT;
|
||
|
break;
|
||
|
}
|
||
|
+ pre_entry =
|
||
|
+ ((struct ipa_ioc_add_hdr *)header)->num_hdrs;
|
||
|
pyld_sz =
|
||
|
sizeof(struct ipa_ioc_add_hdr) +
|
||
|
- ((struct ipa_ioc_add_hdr *)header)->num_hdrs *
|
||
|
- sizeof(struct ipa_hdr_add);
|
||
|
+ pre_entry * sizeof(struct ipa_hdr_add);
|
||
|
param = kzalloc(pyld_sz, GFP_KERNEL);
|
||
|
if (!param) {
|
||
|
retval = -ENOMEM;
|
||
|
@@ -698,6 +708,15 @@ static long ipa3_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
|
||
|
retval = -EFAULT;
|
||
|
break;
|
||
|
}
|
||
|
+ /* add check in case user-space module compromised */
|
||
|
+ if (unlikely(((struct ipa_ioc_add_hdr *)param)->num_hdrs
|
||
|
+ != pre_entry)) {
|
||
|
+ IPAERR(" prevent memory corruption(%d not match %d)\n",
|
||
|
+ ((struct ipa_ioc_add_hdr *)param)->num_hdrs,
|
||
|
+ pre_entry);
|
||
|
+ retval = -EINVAL;
|
||
|
+ break;
|
||
|
+ }
|
||
|
if (ipa3_add_hdr((struct ipa_ioc_add_hdr *)param)) {
|
||
|
retval = -EFAULT;
|
||
|
break;
|
||
|
@@ -714,10 +733,11 @@ static long ipa3_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
|
||
|
retval = -EFAULT;
|
||
|
break;
|
||
|
}
|
||
|
+ pre_entry =
|
||
|
+ ((struct ipa_ioc_del_hdr *)header)->num_hdls;
|
||
|
pyld_sz =
|
||
|
sizeof(struct ipa_ioc_del_hdr) +
|
||
|
- ((struct ipa_ioc_del_hdr *)header)->num_hdls *
|
||
|
- sizeof(struct ipa_hdr_del);
|
||
|
+ pre_entry * sizeof(struct ipa_hdr_del);
|
||
|
param = kzalloc(pyld_sz, GFP_KERNEL);
|
||
|
if (!param) {
|
||
|
retval = -ENOMEM;
|
||
|
@@ -727,6 +747,15 @@ static long ipa3_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
|
||
|
retval = -EFAULT;
|
||
|
break;
|
||
|
}
|
||
|
+ /* add check in case user-space module compromised */
|
||
|
+ if (unlikely(((struct ipa_ioc_del_hdr *)param)->num_hdls
|
||
|
+ != pre_entry)) {
|
||
|
+ IPAERR(" prevent memory corruption(%d not match %d)\n",
|
||
|
+ ((struct ipa_ioc_del_hdr *)param)->num_hdls,
|
||
|
+ pre_entry);
|
||
|
+ retval = -EINVAL;
|
||
|
+ break;
|
||
|
+ }
|
||
|
if (ipa3_del_hdr((struct ipa_ioc_del_hdr *)param)) {
|
||
|
retval = -EFAULT;
|
||
|
break;
|
||
|
@@ -743,10 +772,11 @@ static long ipa3_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
|
||
|
retval = -EFAULT;
|
||
|
break;
|
||
|
}
|
||
|
+ pre_entry =
|
||
|
+ ((struct ipa_ioc_add_rt_rule *)header)->num_rules;
|
||
|
pyld_sz =
|
||
|
sizeof(struct ipa_ioc_add_rt_rule) +
|
||
|
- ((struct ipa_ioc_add_rt_rule *)header)->num_rules *
|
||
|
- sizeof(struct ipa_rt_rule_add);
|
||
|
+ pre_entry * sizeof(struct ipa_rt_rule_add);
|
||
|
param = kzalloc(pyld_sz, GFP_KERNEL);
|
||
|
if (!param) {
|
||
|
retval = -ENOMEM;
|
||
|
@@ -756,6 +786,16 @@ static long ipa3_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
|
||
|
retval = -EFAULT;
|
||
|
break;
|
||
|
}
|
||
|
+ /* add check in case user-space module compromised */
|
||
|
+ if (unlikely(((struct ipa_ioc_add_rt_rule *)param)->num_rules
|
||
|
+ != pre_entry)) {
|
||
|
+ IPAERR(" prevent memory corruption(%d not match %d)\n",
|
||
|
+ ((struct ipa_ioc_add_rt_rule *)param)->
|
||
|
+ num_rules,
|
||
|
+ pre_entry);
|
||
|
+ retval = -EINVAL;
|
||
|
+ break;
|
||
|
+ }
|
||
|
if (ipa3_add_rt_rule((struct ipa_ioc_add_rt_rule *)param)) {
|
||
|
retval = -EFAULT;
|
||
|
break;
|
||
|
@@ -772,10 +812,11 @@ static long ipa3_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
|
||
|
retval = -EFAULT;
|
||
|
break;
|
||
|
}
|
||
|
+ pre_entry =
|
||
|
+ ((struct ipa_ioc_add_rt_rule_after *)header)->num_rules;
|
||
|
pyld_sz =
|
||
|
sizeof(struct ipa_ioc_add_rt_rule_after) +
|
||
|
- ((struct ipa_ioc_add_rt_rule_after *)header)->num_rules *
|
||
|
- sizeof(struct ipa_rt_rule_add);
|
||
|
+ pre_entry * sizeof(struct ipa_rt_rule_add);
|
||
|
param = kzalloc(pyld_sz, GFP_KERNEL);
|
||
|
if (!param) {
|
||
|
retval = -ENOMEM;
|
||
|
@@ -785,6 +826,16 @@ static long ipa3_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
|
||
|
retval = -EFAULT;
|
||
|
break;
|
||
|
}
|
||
|
+ /* add check in case user-space module compromised */
|
||
|
+ if (unlikely(((struct ipa_ioc_add_rt_rule_after *)param)->
|
||
|
+ num_rules != pre_entry)) {
|
||
|
+ IPAERR(" prevent memory corruption(%d not match %d)\n",
|
||
|
+ ((struct ipa_ioc_add_rt_rule_after *)param)->
|
||
|
+ num_rules,
|
||
|
+ pre_entry);
|
||
|
+ retval = -EINVAL;
|
||
|
+ break;
|
||
|
+ }
|
||
|
if (ipa3_add_rt_rule_after(
|
||
|
(struct ipa_ioc_add_rt_rule_after *)param)) {
|
||
|
|
||
|
@@ -803,10 +854,11 @@ static long ipa3_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
|
||
|
retval = -EFAULT;
|
||
|
break;
|
||
|
}
|
||
|
+ pre_entry =
|
||
|
+ ((struct ipa_ioc_mdfy_rt_rule *)header)->num_rules;
|
||
|
pyld_sz =
|
||
|
sizeof(struct ipa_ioc_mdfy_rt_rule) +
|
||
|
- ((struct ipa_ioc_mdfy_rt_rule *)header)->num_rules *
|
||
|
- sizeof(struct ipa_rt_rule_mdfy);
|
||
|
+ pre_entry * sizeof(struct ipa_rt_rule_mdfy);
|
||
|
param = kzalloc(pyld_sz, GFP_KERNEL);
|
||
|
if (!param) {
|
||
|
retval = -ENOMEM;
|
||
|
@@ -816,6 +868,16 @@ static long ipa3_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
|
||
|
retval = -EFAULT;
|
||
|
break;
|
||
|
}
|
||
|
+ /* add check in case user-space module compromised */
|
||
|
+ if (unlikely(((struct ipa_ioc_mdfy_rt_rule *)param)->num_rules
|
||
|
+ != pre_entry)) {
|
||
|
+ IPAERR(" prevent memory corruption(%d not match %d)\n",
|
||
|
+ ((struct ipa_ioc_mdfy_rt_rule *)param)->
|
||
|
+ num_rules,
|
||
|
+ pre_entry);
|
||
|
+ retval = -EINVAL;
|
||
|
+ break;
|
||
|
+ }
|
||
|
if (ipa3_mdfy_rt_rule((struct ipa_ioc_mdfy_rt_rule *)param)) {
|
||
|
retval = -EFAULT;
|
||
|
break;
|
||
|
@@ -832,10 +894,11 @@ static long ipa3_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
|
||
|
retval = -EFAULT;
|
||
|
break;
|
||
|
}
|
||
|
+ pre_entry =
|
||
|
+ ((struct ipa_ioc_del_rt_rule *)header)->num_hdls;
|
||
|
pyld_sz =
|
||
|
sizeof(struct ipa_ioc_del_rt_rule) +
|
||
|
- ((struct ipa_ioc_del_rt_rule *)header)->num_hdls *
|
||
|
- sizeof(struct ipa_rt_rule_del);
|
||
|
+ pre_entry * sizeof(struct ipa_rt_rule_del);
|
||
|
param = kzalloc(pyld_sz, GFP_KERNEL);
|
||
|
if (!param) {
|
||
|
retval = -ENOMEM;
|
||
|
@@ -845,6 +908,15 @@ static long ipa3_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
|
||
|
retval = -EFAULT;
|
||
|
break;
|
||
|
}
|
||
|
+ /* add check in case user-space module compromised */
|
||
|
+ if (unlikely(((struct ipa_ioc_del_rt_rule *)param)->num_hdls
|
||
|
+ != pre_entry)) {
|
||
|
+ IPAERR(" prevent memory corruption(%d not match %d)\n",
|
||
|
+ ((struct ipa_ioc_del_rt_rule *)param)->num_hdls,
|
||
|
+ pre_entry);
|
||
|
+ retval = -EINVAL;
|
||
|
+ break;
|
||
|
+ }
|
||
|
if (ipa3_del_rt_rule((struct ipa_ioc_del_rt_rule *)param)) {
|
||
|
retval = -EFAULT;
|
||
|
break;
|
||
|
@@ -861,10 +933,11 @@ static long ipa3_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
|
||
|
retval = -EFAULT;
|
||
|
break;
|
||
|
}
|
||
|
+ pre_entry =
|
||
|
+ ((struct ipa_ioc_add_flt_rule *)header)->num_rules;
|
||
|
pyld_sz =
|
||
|
sizeof(struct ipa_ioc_add_flt_rule) +
|
||
|
- ((struct ipa_ioc_add_flt_rule *)header)->num_rules *
|
||
|
- sizeof(struct ipa_flt_rule_add);
|
||
|
+ pre_entry * sizeof(struct ipa_flt_rule_add);
|
||
|
param = kzalloc(pyld_sz, GFP_KERNEL);
|
||
|
if (!param) {
|
||
|
retval = -ENOMEM;
|
||
|
@@ -874,6 +947,16 @@ static long ipa3_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
|
||
|
retval = -EFAULT;
|
||
|
break;
|
||
|
}
|
||
|
+ /* add check in case user-space module compromised */
|
||
|
+ if (unlikely(((struct ipa_ioc_add_flt_rule *)param)->num_rules
|
||
|
+ != pre_entry)) {
|
||
|
+ IPAERR(" prevent memory corruption(%d not match %d)\n",
|
||
|
+ ((struct ipa_ioc_add_flt_rule *)param)->
|
||
|
+ num_rules,
|
||
|
+ pre_entry);
|
||
|
+ retval = -EINVAL;
|
||
|
+ break;
|
||
|
+ }
|
||
|
if (ipa3_add_flt_rule((struct ipa_ioc_add_flt_rule *)param)) {
|
||
|
retval = -EFAULT;
|
||
|
break;
|
||
|
@@ -891,10 +974,12 @@ static long ipa3_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
|
||
|
retval = -EFAULT;
|
||
|
break;
|
||
|
}
|
||
|
+ pre_entry =
|
||
|
+ ((struct ipa_ioc_add_flt_rule_after *)header)->
|
||
|
+ num_rules;
|
||
|
pyld_sz =
|
||
|
sizeof(struct ipa_ioc_add_flt_rule_after) +
|
||
|
- ((struct ipa_ioc_add_flt_rule_after *)header)->num_rules *
|
||
|
- sizeof(struct ipa_flt_rule_add);
|
||
|
+ pre_entry * sizeof(struct ipa_flt_rule_add);
|
||
|
param = kzalloc(pyld_sz, GFP_KERNEL);
|
||
|
if (!param) {
|
||
|
retval = -ENOMEM;
|
||
|
@@ -904,6 +989,16 @@ static long ipa3_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
|
||
|
retval = -EFAULT;
|
||
|
break;
|
||
|
}
|
||
|
+ /* add check in case user-space module compromised */
|
||
|
+ if (unlikely(((struct ipa_ioc_add_flt_rule_after *)param)->
|
||
|
+ num_rules != pre_entry)) {
|
||
|
+ IPAERR(" prevent memory corruption(%d not match %d)\n",
|
||
|
+ ((struct ipa_ioc_add_flt_rule_after *)param)->
|
||
|
+ num_rules,
|
||
|
+ pre_entry);
|
||
|
+ retval = -EINVAL;
|
||
|
+ break;
|
||
|
+ }
|
||
|
if (ipa3_add_flt_rule_after(
|
||
|
(struct ipa_ioc_add_flt_rule_after *)param)) {
|
||
|
retval = -EFAULT;
|
||
|
@@ -921,10 +1016,11 @@ static long ipa3_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
|
||
|
retval = -EFAULT;
|
||
|
break;
|
||
|
}
|
||
|
+ pre_entry =
|
||
|
+ ((struct ipa_ioc_del_flt_rule *)header)->num_hdls;
|
||
|
pyld_sz =
|
||
|
sizeof(struct ipa_ioc_del_flt_rule) +
|
||
|
- ((struct ipa_ioc_del_flt_rule *)header)->num_hdls *
|
||
|
- sizeof(struct ipa_flt_rule_del);
|
||
|
+ pre_entry * sizeof(struct ipa_flt_rule_del);
|
||
|
param = kzalloc(pyld_sz, GFP_KERNEL);
|
||
|
if (!param) {
|
||
|
retval = -ENOMEM;
|
||
|
@@ -934,6 +1030,16 @@ static long ipa3_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
|
||
|
retval = -EFAULT;
|
||
|
break;
|
||
|
}
|
||
|
+ /* add check in case user-space module compromised */
|
||
|
+ if (unlikely(((struct ipa_ioc_del_flt_rule *)param)->num_hdls
|
||
|
+ != pre_entry)) {
|
||
|
+ IPAERR(" prevent memory corruption(%d not match %d)\n",
|
||
|
+ ((struct ipa_ioc_del_flt_rule *)param)->
|
||
|
+ num_hdls,
|
||
|
+ pre_entry);
|
||
|
+ retval = -EINVAL;
|
||
|
+ break;
|
||
|
+ }
|
||
|
if (ipa3_del_flt_rule((struct ipa_ioc_del_flt_rule *)param)) {
|
||
|
retval = -EFAULT;
|
||
|
break;
|
||
|
@@ -950,10 +1056,11 @@ static long ipa3_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
|
||
|
retval = -EFAULT;
|
||
|
break;
|
||
|
}
|
||
|
+ pre_entry =
|
||
|
+ ((struct ipa_ioc_mdfy_flt_rule *)header)->num_rules;
|
||
|
pyld_sz =
|
||
|
sizeof(struct ipa_ioc_mdfy_flt_rule) +
|
||
|
- ((struct ipa_ioc_mdfy_flt_rule *)header)->num_rules *
|
||
|
- sizeof(struct ipa_flt_rule_mdfy);
|
||
|
+ pre_entry * sizeof(struct ipa_flt_rule_mdfy);
|
||
|
param = kzalloc(pyld_sz, GFP_KERNEL);
|
||
|
if (!param) {
|
||
|
retval = -ENOMEM;
|
||
|
@@ -963,6 +1070,16 @@ static long ipa3_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
|
||
|
retval = -EFAULT;
|
||
|
break;
|
||
|
}
|
||
|
+ /* add check in case user-space module compromised */
|
||
|
+ if (unlikely(((struct ipa_ioc_mdfy_flt_rule *)param)->num_rules
|
||
|
+ != pre_entry)) {
|
||
|
+ IPAERR(" prevent memory corruption(%d not match %d)\n",
|
||
|
+ ((struct ipa_ioc_mdfy_flt_rule *)param)->
|
||
|
+ num_rules,
|
||
|
+ pre_entry);
|
||
|
+ retval = -EINVAL;
|
||
|
+ break;
|
||
|
+ }
|
||
|
if (ipa3_mdfy_flt_rule((struct ipa_ioc_mdfy_flt_rule *)param)) {
|
||
|
retval = -EFAULT;
|
||
|
break;
|
||
|
@@ -1076,9 +1193,10 @@ static long ipa3_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
|
||
|
retval = -EFAULT;
|
||
|
break;
|
||
|
}
|
||
|
-
|
||
|
- pyld_sz = sz + ((struct ipa_ioc_query_intf_tx_props *)
|
||
|
- header)->num_tx_props *
|
||
|
+ pre_entry =
|
||
|
+ ((struct ipa_ioc_query_intf_tx_props *)
|
||
|
+ header)->num_tx_props;
|
||
|
+ pyld_sz = sz + pre_entry *
|
||
|
sizeof(struct ipa_ioc_tx_intf_prop);
|
||
|
param = kzalloc(pyld_sz, GFP_KERNEL);
|
||
|
if (!param) {
|
||
|
@@ -1089,6 +1207,16 @@ static long ipa3_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
|
||
|
retval = -EFAULT;
|
||
|
break;
|
||
|
}
|
||
|
+ /* add check in case user-space module compromised */
|
||
|
+ if (unlikely(((struct ipa_ioc_query_intf_tx_props *)
|
||
|
+ param)->num_tx_props
|
||
|
+ != pre_entry)) {
|
||
|
+ IPAERR(" prevent memory corruption(%d not match %d)\n",
|
||
|
+ ((struct ipa_ioc_query_intf_tx_props *)
|
||
|
+ param)->num_tx_props, pre_entry);
|
||
|
+ retval = -EINVAL;
|
||
|
+ break;
|
||
|
+ }
|
||
|
if (ipa3_query_intf_tx_props(
|
||
|
(struct ipa_ioc_query_intf_tx_props *)param)) {
|
||
|
retval = -1;
|
||
|
@@ -1111,9 +1239,10 @@ static long ipa3_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
|
||
|
retval = -EFAULT;
|
||
|
break;
|
||
|
}
|
||
|
-
|
||
|
- pyld_sz = sz + ((struct ipa_ioc_query_intf_rx_props *)
|
||
|
- header)->num_rx_props *
|
||
|
+ pre_entry =
|
||
|
+ ((struct ipa_ioc_query_intf_rx_props *)
|
||
|
+ header)->num_rx_props;
|
||
|
+ pyld_sz = sz + pre_entry *
|
||
|
sizeof(struct ipa_ioc_rx_intf_prop);
|
||
|
param = kzalloc(pyld_sz, GFP_KERNEL);
|
||
|
if (!param) {
|
||
|
@@ -1124,6 +1253,15 @@ static long ipa3_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
|
||
|
retval = -EFAULT;
|
||
|
break;
|
||
|
}
|
||
|
+ /* add check in case user-space module compromised */
|
||
|
+ if (unlikely(((struct ipa_ioc_query_intf_rx_props *)
|
||
|
+ param)->num_rx_props != pre_entry)) {
|
||
|
+ IPAERR(" prevent memory corruption(%d not match %d)\n",
|
||
|
+ ((struct ipa_ioc_query_intf_rx_props *)
|
||
|
+ param)->num_rx_props, pre_entry);
|
||
|
+ retval = -EINVAL;
|
||
|
+ break;
|
||
|
+ }
|
||
|
if (ipa3_query_intf_rx_props(
|
||
|
(struct ipa_ioc_query_intf_rx_props *)param)) {
|
||
|
retval = -1;
|
||
|
@@ -1146,9 +1284,10 @@ static long ipa3_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
|
||
|
retval = -EFAULT;
|
||
|
break;
|
||
|
}
|
||
|
-
|
||
|
- pyld_sz = sz + ((struct ipa_ioc_query_intf_ext_props *)
|
||
|
- header)->num_ext_props *
|
||
|
+ pre_entry =
|
||
|
+ ((struct ipa_ioc_query_intf_ext_props *)
|
||
|
+ header)->num_ext_props;
|
||
|
+ pyld_sz = sz + pre_entry *
|
||
|
sizeof(struct ipa_ioc_ext_intf_prop);
|
||
|
param = kzalloc(pyld_sz, GFP_KERNEL);
|
||
|
if (!param) {
|
||
|
@@ -1159,6 +1298,15 @@ static long ipa3_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
|
||
|
retval = -EFAULT;
|
||
|
break;
|
||
|
}
|
||
|
+ /* add check in case user-space module compromised */
|
||
|
+ if (unlikely(((struct ipa_ioc_query_intf_ext_props *)
|
||
|
+ param)->num_ext_props != pre_entry)) {
|
||
|
+ IPAERR(" prevent memory corruption(%d not match %d)\n",
|
||
|
+ ((struct ipa_ioc_query_intf_ext_props *)
|
||
|
+ param)->num_ext_props, pre_entry);
|
||
|
+ retval = -EINVAL;
|
||
|
+ break;
|
||
|
+ }
|
||
|
if (ipa3_query_intf_ext_props(
|
||
|
(struct ipa_ioc_query_intf_ext_props *)param)) {
|
||
|
retval = -1;
|
||
|
@@ -1175,8 +1323,10 @@ static long ipa3_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
|
||
|
retval = -EFAULT;
|
||
|
break;
|
||
|
}
|
||
|
- pyld_sz = sizeof(struct ipa_msg_meta) +
|
||
|
+ pre_entry =
|
||
|
((struct ipa_msg_meta *)header)->msg_len;
|
||
|
+ pyld_sz = sizeof(struct ipa_msg_meta) +
|
||
|
+ pre_entry;
|
||
|
param = kzalloc(pyld_sz, GFP_KERNEL);
|
||
|
if (!param) {
|
||
|
retval = -ENOMEM;
|
||
|
@@ -1186,6 +1336,15 @@ static long ipa3_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
|
||
|
retval = -EFAULT;
|
||
|
break;
|
||
|
}
|
||
|
+ /* add check in case user-space module compromised */
|
||
|
+ if (unlikely(((struct ipa_msg_meta *)param)->msg_len
|
||
|
+ != pre_entry)) {
|
||
|
+ IPAERR(" prevent memory corruption(%d not match %d)\n",
|
||
|
+ ((struct ipa_msg_meta *)param)->msg_len,
|
||
|
+ pre_entry);
|
||
|
+ retval = -EINVAL;
|
||
|
+ break;
|
||
|
+ }
|
||
|
if (ipa3_pull_msg((struct ipa_msg_meta *)param,
|
||
|
(char *)param + sizeof(struct ipa_msg_meta),
|
||
|
((struct ipa_msg_meta *)param)->msg_len) !=
|
||
|
@@ -1302,10 +1461,12 @@ static long ipa3_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
|
||
|
retval = -EFAULT;
|
||
|
break;
|
||
|
}
|
||
|
+ pre_entry =
|
||
|
+ ((struct ipa_ioc_add_hdr_proc_ctx *)
|
||
|
+ header)->num_proc_ctxs;
|
||
|
pyld_sz =
|
||
|
sizeof(struct ipa_ioc_add_hdr_proc_ctx) +
|
||
|
- ((struct ipa_ioc_add_hdr_proc_ctx *)header)->num_proc_ctxs *
|
||
|
- sizeof(struct ipa_hdr_proc_ctx_add);
|
||
|
+ pre_entry * sizeof(struct ipa_hdr_proc_ctx_add);
|
||
|
param = kzalloc(pyld_sz, GFP_KERNEL);
|
||
|
if (!param) {
|
||
|
retval = -ENOMEM;
|
||
|
@@ -1315,6 +1476,15 @@ static long ipa3_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
|
||
|
retval = -EFAULT;
|
||
|
break;
|
||
|
}
|
||
|
+ /* add check in case user-space module compromised */
|
||
|
+ if (unlikely(((struct ipa_ioc_add_hdr_proc_ctx *)
|
||
|
+ param)->num_proc_ctxs != pre_entry)) {
|
||
|
+ IPAERR(" prevent memory corruption(%d not match %d)\n",
|
||
|
+ ((struct ipa_ioc_add_hdr_proc_ctx *)
|
||
|
+ param)->num_proc_ctxs, pre_entry);
|
||
|
+ retval = -EINVAL;
|
||
|
+ break;
|
||
|
+ }
|
||
|
if (ipa3_add_hdr_proc_ctx(
|
||
|
(struct ipa_ioc_add_hdr_proc_ctx *)param)) {
|
||
|
retval = -EFAULT;
|
||
|
@@ -1331,10 +1501,11 @@ static long ipa3_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
|
||
|
retval = -EFAULT;
|
||
|
break;
|
||
|
}
|
||
|
+ pre_entry =
|
||
|
+ ((struct ipa_ioc_del_hdr_proc_ctx *)header)->num_hdls;
|
||
|
pyld_sz =
|
||
|
sizeof(struct ipa_ioc_del_hdr_proc_ctx) +
|
||
|
- ((struct ipa_ioc_del_hdr_proc_ctx *)header)->num_hdls *
|
||
|
- sizeof(struct ipa_hdr_proc_ctx_del);
|
||
|
+ pre_entry * sizeof(struct ipa_hdr_proc_ctx_del);
|
||
|
param = kzalloc(pyld_sz, GFP_KERNEL);
|
||
|
if (!param) {
|
||
|
retval = -ENOMEM;
|
||
|
@@ -1344,6 +1515,16 @@ static long ipa3_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
|
||
|
retval = -EFAULT;
|
||
|
break;
|
||
|
}
|
||
|
+ /* add check in case user-space module compromised */
|
||
|
+ if (unlikely(((struct ipa_ioc_del_hdr_proc_ctx *)
|
||
|
+ param)->num_hdls != pre_entry)) {
|
||
|
+ IPAERR(" prevent memory corruption(%d not match %d)\n",
|
||
|
+ ((struct ipa_ioc_del_hdr_proc_ctx *)param)->
|
||
|
+ num_hdls,
|
||
|
+ pre_entry);
|
||
|
+ retval = -EINVAL;
|
||
|
+ break;
|
||
|
+ }
|
||
|
if (ipa3_del_hdr_proc_ctx(
|
||
|
(struct ipa_ioc_del_hdr_proc_ctx *)param)) {
|
||
|
retval = -EFAULT;
|
||
|
--
|
||
|
cgit v1.1
|
||
|
|