DivestOS/Patches/Linux_CVEs/CVE-2017-10999/ANY/0.patch
2017-10-29 22:14:37 -04:00

77 lines
2.6 KiB
Diff

From f51a152ad52108457ae6b1caf7a04857f25c4bed Mon Sep 17 00:00:00 2001
From: Skylar Chang <chiaweic@codeaurora.org>
Date: Wed, 15 Mar 2017 21:27:35 -0700
Subject: msm: ipa: fix security issues in ipa wan driver
Fix the security issue in handling add mux channel event
in ipa wan driver.
Bug: 36490777
Change-Id: Ic2ffeafddad4954ec3ecba0d675646d0790eede7
Signed-off-by: Skylar Chang <chiaweic@codeaurora.org>
Acked-by: Shihuan Liu <shihuanl@qti.qualcomm.com>
---
drivers/platform/msm/ipa/rmnet_ipa.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/drivers/platform/msm/ipa/rmnet_ipa.c b/drivers/platform/msm/ipa/rmnet_ipa.c
index a149a9e..0d6fb33 100644
--- a/drivers/platform/msm/ipa/rmnet_ipa.c
+++ b/drivers/platform/msm/ipa/rmnet_ipa.c
@@ -57,6 +57,7 @@ static atomic_t is_initialized;
static atomic_t is_ssr;
u32 apps_to_ipa_hdl, ipa_to_apps_hdl; /* get handler from ipa */
+static struct mutex add_mux_channel_lock;
static int wwan_add_ul_flt_rule_to_ipa(void);
static int wwan_del_ul_flt_rule_to_ipa(void);
@@ -1242,9 +1243,11 @@ static int ipa_wwan_ioctl(struct net_device *dev, struct ifreq *ifr, int cmd)
rmnet_mux_val.mux_id);
return rc;
}
+ mutex_lock(&add_mux_channel_lock);
if (rmnet_index >= MAX_NUM_OF_MUX_CHANNEL) {
IPAWANERR("Exceed mux_channel limit(%d)\n",
rmnet_index);
+ mutex_unlock(&add_mux_channel_lock);
return -EFAULT;
}
IPAWANDBG("ADD_MUX_CHANNEL(%d, name: %s)\n",
@@ -1270,6 +1273,7 @@ static int ipa_wwan_ioctl(struct net_device *dev, struct ifreq *ifr, int cmd)
IPAWANERR("device %s reg IPA failed\n",
extend_ioctl_data.u.
rmnet_mux_val.vchannel_name);
+ mutex_unlock(&add_mux_channel_lock);
return -ENODEV;
}
mux_channel[rmnet_index].mux_channel_set = true;
@@ -1282,6 +1286,7 @@ static int ipa_wwan_ioctl(struct net_device *dev, struct ifreq *ifr, int cmd)
mux_channel[rmnet_index].ul_flt_reg = false;
}
rmnet_index++;
+ mutex_unlock(&add_mux_channel_lock);
break;
case RMNET_IOCTL_SET_EGRESS_DATA_FORMAT:
IPAWANDBG("get RMNET_IOCTL_SET_EGRESS_DATA_FORMAT\n");
@@ -2050,7 +2055,7 @@ static int __init ipa_wwan_init(void)
atomic_set(&is_initialized, 0);
atomic_set(&is_ssr, 0);
-
+ mutex_init(&add_mux_channel_lock);
/* Register for Modem SSR */
subsys = subsys_notif_register_notifier(SUBSYS_MODEM, &ssr_notifier);
if (!IS_ERR(subsys))
@@ -2061,6 +2066,7 @@ static int __init ipa_wwan_init(void)
static void __exit ipa_wwan_cleanup(void)
{
+ mutex_destroy(&add_mux_channel_lock);
platform_driver_unregister(&rmnet_ipa_driver);
}
--
cgit v1.1