Git-Mirrors/DivestOS
1
0
Fork 0
mirror of https://github.com/Divested-Mobile/DivestOS-Build.git synced 2024-10-01 01:35:54 -04:00
Code Issues Packages Projects Releases Wiki Activity
c75ac86118
DivestOS/Patches/Linux_CVEs/CVE-2015-0572/ANY/0001.patch
Tad 11c7037780 Switch to new CVE patchset
2017-11-07 17:32:46 -05:00

144 lines
5.1 KiB
Diff
Raw Blame History

From 34ad3d34fbff11b8e1210b9da0dac937fb956b61 Mon Sep 17 00:00:00 2001
From: Sathish Ambley <sathishambley@codeaurora.org>
Date: Wed, 10 Jun 2015 00:39:41 -0700
Subject: msm: ADSPRPC: Do not access user memory directly
The buffers being passed in the invocation are copied from user
memory into the context using copy_from_user. Lookup the buffer
pointers from the context where it was copied rather than directly
accessing it from the user memory.
Change-Id: Ief5a840f17f6287ebd48b4ae52facaccb271fab8
Signed-off-by: Sathish Ambley <sathishambley@codeaurora.org>
---
drivers/char/adsprpc.c | 27 ++++++++++++++-------------
drivers/char/adsprpc_compat.c | 15 +++++++--------
2 files changed, 21 insertions(+), 21 deletions(-)
diff --git a/drivers/char/adsprpc.c b/drivers/char/adsprpc.c
index a3d0b7f..1eec274 100644
--- a/drivers/char/adsprpc.c
+++ b/drivers/char/adsprpc.c
@@ -652,8 +652,7 @@ static int fastrpc_mmap_create(struct fastrpc_file *fl, int fd, uintptr_t va,
static int fastrpc_mmap_create_physical(struct fastrpc_file *fl,
struct fastrpc_ioctl_mmap *ud, struct fastrpc_mmap **ppmap);
-static int get_args(uint32_t kernel, struct smq_invoke_ctx *ctx,
- remote_arg_t *upra)
+static int get_args(uint32_t kernel, struct smq_invoke_ctx *ctx)
{
remote_arg64_t *rpra;
remote_arg_t *lpra = ctx->lpra;
@@ -793,9 +792,9 @@ static int get_args(uint32_t kernel, struct smq_invoke_ctx *ctx,
}
inh = inbufs + outbufs;
for (i = 0; i < REMOTE_SCALARS_INHANDLES(sc); i++) {
- rpra[inh + i].buf.pv = ptr_to_uint64(upra[inh + i].buf.pv);
- rpra[inh + i].buf.len = upra[inh + i].buf.len;
- rpra[inh + i].h = upra[inh + i].h;
+ rpra[inh + i].buf.pv = ptr_to_uint64(ctx->lpra[inh + i].buf.pv);
+ rpra[inh + i].buf.len = ctx->lpra[inh + i].buf.len;
+ rpra[inh + i].h = ctx->lpra[inh + i].h;
}
dmac_flush_range((char *)rpra, (char *)rpra + ctx->used);
bail:
@@ -807,7 +806,7 @@ static int put_args(uint32_t kernel, struct smq_invoke_ctx *ctx,
{
uint32_t sc = ctx->sc;
remote_arg64_t *rpra = ctx->rpra;
- int i, inbufs, outbufs, outh;
+ int i, inbufs, outbufs, outh, num;
int err = 0;
inbufs = REMOTE_SCALARS_INBUFS(sc);
@@ -815,7 +814,7 @@ static int put_args(uint32_t kernel, struct smq_invoke_ctx *ctx,
for (i = inbufs; i < inbufs + outbufs; ++i) {
if (!ctx->maps[i]) {
K_COPY_TO_USER(err, kernel,
- upra[i].buf.pv,
+ ctx->lpra[i].buf.pv,
uint64_to_ptr(rpra[i].buf.pv),
rpra[i].buf.len);
if (err)
@@ -825,11 +824,13 @@ static int put_args(uint32_t kernel, struct smq_invoke_ctx *ctx,
ctx->maps[i] = 0;
}
}
- outh = inbufs + outbufs + REMOTE_SCALARS_INHANDLES(sc);
- for (i = 0; i < REMOTE_SCALARS_OUTHANDLES(sc); i++) {
- upra[outh + i].buf.pv = uint64_to_ptr(rpra[outh + i].buf.pv);
- upra[outh + i].buf.len = rpra[outh + i].buf.len;
- upra[outh + i].h = rpra[outh + i].h;
+ num = REMOTE_SCALARS_OUTHANDLES(sc);
+ if (num) {
+ outh = inbufs + outbufs + REMOTE_SCALARS_INHANDLES(sc);
+ K_COPY_TO_USER(err, kernel, &upra[outh], &ctx->lpra[outh],
+ num * sizeof(*ctx->lpra));
+ if (err)
+ goto bail;
}
bail:
return err;
@@ -992,7 +993,7 @@ static int fastrpc_internal_invoke(struct fastrpc_file *fl, uint32_t mode,
goto bail;
if (REMOTE_SCALARS_LENGTH(ctx->sc)) {
- VERIFY(err, 0 == get_args(kernel, ctx, invoke->pra));
+ VERIFY(err, 0 == get_args(kernel, ctx));
if (err)
goto bail;
}
diff --git a/drivers/char/adsprpc_compat.c b/drivers/char/adsprpc_compat.c
index 2956702..ee324dc 100644
--- a/drivers/char/adsprpc_compat.c
+++ b/drivers/char/adsprpc_compat.c
@@ -98,8 +98,9 @@ static int compat_get_fastrpc_ioctl_invoke(
if (err)
return -EFAULT;
- inv->inv.pra = (union remote_arg *)(inv + 1);
- err = put_user(sc, &inv->inv.sc);
+ pra = (union remote_arg *)(inv + 1);
+ err = put_user(pra, &inv->inv.pra);
+ err |= put_user(sc, &inv->inv.sc);
err |= get_user(u, &inv32->inv.handle);
err |= put_user(u, &inv->inv.handle);
err |= get_user(p, &inv32->inv.pra);
@@ -107,12 +108,11 @@ static int compat_get_fastrpc_ioctl_invoke(
return err;
pra32 = compat_ptr(p);
- pra = inv->inv.pra;
+ pra = (union remote_arg *)(inv + 1);
num = REMOTE_SCALARS_INBUFS(sc) + REMOTE_SCALARS_OUTBUFS(sc);
for (j = 0; j < num; j++) {
err |= get_user(p, &pra32[j].buf.pv);
- pra[j].buf.pv = 0;
- err |= put_user(p, (compat_uptr_t *)&pra[j].buf.pv);
+ err |= put_user(p, (uintptr_t *)&pra[j].buf.pv);
err |= get_user(s, &pra32[j].buf.len);
err |= put_user(s, &pra[j].buf.len);
}
@@ -121,7 +121,7 @@ static int compat_get_fastrpc_ioctl_invoke(
err |= put_user(u, &pra[num + j].h);
}
- inv->fds = NULL;
+ err |= put_user(NULL, &inv->fds);
if (cmd == COMPAT_FASTRPC_IOCTL_INVOKE_FD) {
err |= get_user(p, &inv32->fds);
err |= put_user(p, (compat_uptr_t *)&inv->fds);
@@ -173,8 +173,7 @@ static int compat_get_fastrpc_ioctl_mmap(
err |= get_user(u, &map32->flags);
err |= put_user(u, &map->flags);
err |= get_user(p, &map32->vaddrin);
- map->vaddrin = NULL;
- err |= put_user(p, (compat_uptr_t *)&map->vaddrin);
+ err |= put_user(p, (uintptr_t *)&map->vaddrin);
err |= get_user(s, &map32->size);
err |= put_user(s, &map->size);
--
cgit v1.1
Reference in New Issue View Git Blame Copy Permalink