anierin/msm-5.15
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge "msm: adsprpc: Handle UAF in fastrpc debugfs read"

Browse Source
This commit is contained in:
qctecmdr
2022-01-31 05:18:38 -08:00
committed by Gerrit - the friendly Code Review server
parent 1d98a82ef3 311dd76d74
commit fdee0ac3f2
1 changed files with 11 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
drivers/char/adsprpc.c
View File

@@ -5574,6 +5574,7 @@ static ssize_t fastrpc_debugfs_read(struct file *filp, char __user *buffer,
char *fileinfo = NULL; char *fileinfo = NULL;
char single_line[] = "----------------"; char single_line[] = "----------------";
char title[] = "========================="; char title[] = "=========================";
unsigned long irq_flags = 0;
fileinfo = kzalloc(DEBUGFS_SIZE, GFP_KERNEL); fileinfo = kzalloc(DEBUGFS_SIZE, GFP_KERNEL);
if (!fileinfo) { if (!fileinfo) {
@@ -5626,6 +5627,7 @@ static ssize_t fastrpc_debugfs_read(struct file *filp, char __user *buffer,
len += scnprintf(fileinfo + len, DEBUGFS_SIZE - len, len += scnprintf(fileinfo + len, DEBUGFS_SIZE - len,
"%s%s%s%s%s\n", single_line, single_line, "%s%s%s%s%s\n", single_line, single_line,
single_line, single_line, single_line); single_line, single_line, single_line);
spin_lock_irqsave(&me->hlock, irq_flags);
hlist_for_each_entry_safe(gmaps, n, &me->maps, hn) { hlist_for_each_entry_safe(gmaps, n, &me->maps, hn) {
len += scnprintf(fileinfo + len, DEBUGFS_SIZE - len, len += scnprintf(fileinfo + len, DEBUGFS_SIZE - len,
"%-20d|0x%-18llX|0x%-18X|0x%-20lX\n\n", "%-20d|0x%-18llX|0x%-18X|0x%-20lX\n\n",
@@ -5633,18 +5635,21 @@ static ssize_t fastrpc_debugfs_read(struct file *filp, char __user *buffer,
(uint32_t)gmaps->size, (uint32_t)gmaps->size,
gmaps->va); gmaps->va);
} }
spin_unlock_irqrestore(&me->hlock, irq_flags);
len += scnprintf(fileinfo + len, DEBUGFS_SIZE - len, len += scnprintf(fileinfo + len, DEBUGFS_SIZE - len,
"%-20s|%-20s|%-20s|%-20s\n", "%-20s|%-20s|%-20s|%-20s\n",
"len", "refs", "raddr", "flags"); "len", "refs", "raddr", "flags");
len += scnprintf(fileinfo + len, DEBUGFS_SIZE - len, len += scnprintf(fileinfo + len, DEBUGFS_SIZE - len,
"%s%s%s%s%s\n", single_line, single_line, "%s%s%s%s%s\n", single_line, single_line,
single_line, single_line, single_line); single_line, single_line, single_line);
spin_lock_irqsave(&me->hlock, irq_flags);
hlist_for_each_entry_safe(gmaps, n, &me->maps, hn) { hlist_for_each_entry_safe(gmaps, n, &me->maps, hn) {
len += scnprintf(fileinfo + len, DEBUGFS_SIZE - len, len += scnprintf(fileinfo + len, DEBUGFS_SIZE - len,
"0x%-18X|%-20d|%-20lu|%-20u\n", "0x%-18X|%-20d|%-20lu|%-20u\n",
(uint32_t)gmaps->len, gmaps->refs, (uint32_t)gmaps->len, gmaps->refs,
gmaps->raddr, gmaps->flags); gmaps->raddr, gmaps->flags);
} }
spin_unlock_irqrestore(&me->hlock, irq_flags);
} else { } else {
len += scnprintf(fileinfo + len, DEBUGFS_SIZE - len, len += scnprintf(fileinfo + len, DEBUGFS_SIZE - len,
"\n%s %13s %d\n", "cid", ":", fl->cid); "\n%s %13s %d\n", "cid", ":", fl->cid);
@@ -5687,12 +5692,14 @@ static ssize_t fastrpc_debugfs_read(struct file *filp, char __user *buffer,
"%s%s%s%s%s\n", "%s%s%s%s%s\n",
single_line, single_line, single_line, single_line, single_line, single_line,
single_line, single_line); single_line, single_line);
mutex_lock(&fl->map_mutex);
hlist_for_each_entry_safe(map, n, &fl->maps, hn) { hlist_for_each_entry_safe(map, n, &fl->maps, hn) {
len += scnprintf(fileinfo + len, DEBUGFS_SIZE - len, len += scnprintf(fileinfo + len, DEBUGFS_SIZE - len,
"0x%-20lX|0x%-20llX|0x%-20zu\n\n", "0x%-20lX|0x%-20llX|0x%-20zu\n\n",
map->va, map->phys, map->va, map->phys,
map->size); map->size);
} }
mutex_unlock(&fl->map_mutex);
len += scnprintf(fileinfo + len, DEBUGFS_SIZE - len, len += scnprintf(fileinfo + len, DEBUGFS_SIZE - len,
"%-20s|%-20s|%-20s|%-20s\n", "%-20s|%-20s|%-20s|%-20s\n",
"len", "refs", "len", "refs",
@@ -5701,23 +5708,26 @@ static ssize_t fastrpc_debugfs_read(struct file *filp, char __user *buffer,
"%s%s%s%s%s\n", "%s%s%s%s%s\n",
single_line, single_line, single_line, single_line, single_line, single_line,
single_line, single_line); single_line, single_line);
mutex_lock(&fl->map_mutex);
hlist_for_each_entry_safe(map, n, &fl->maps, hn) { hlist_for_each_entry_safe(map, n, &fl->maps, hn) {
len += scnprintf(fileinfo + len, DEBUGFS_SIZE - len, len += scnprintf(fileinfo + len, DEBUGFS_SIZE - len,
"%-20zu|%-20d|0x%-20lX|%-20d\n\n", "%-20zu|%-20d|0x%-20lX|%-20d\n\n",
map->len, map->refs, map->raddr); map->len, map->refs, map->raddr);
} }
mutex_unlock(&fl->map_mutex);
len += scnprintf(fileinfo + len, DEBUGFS_SIZE - len, len += scnprintf(fileinfo + len, DEBUGFS_SIZE - len,
"%-20s|%-20s\n", "secure", "attr"); "%-20s|%-20s\n", "secure", "attr");
len += scnprintf(fileinfo + len, DEBUGFS_SIZE - len, len += scnprintf(fileinfo + len, DEBUGFS_SIZE - len,
"%s%s%s%s%s\n", "%s%s%s%s%s\n",
single_line, single_line, single_line, single_line, single_line, single_line,
single_line, single_line); single_line, single_line);
mutex_lock(&fl->map_mutex);
hlist_for_each_entry_safe(map, n, &fl->maps, hn) { hlist_for_each_entry_safe(map, n, &fl->maps, hn) {
len += scnprintf(fileinfo + len, DEBUGFS_SIZE - len, len += scnprintf(fileinfo + len, DEBUGFS_SIZE - len,
"%-20d|0x%-20lX\n\n", "%-20d|0x%-20lX\n\n",
map->secure, map->attr); map->secure, map->attr);
} }
mutex_unlock(&fl->map_mutex);
len += scnprintf(fileinfo + len, DEBUGFS_SIZE - len, len += scnprintf(fileinfo + len, DEBUGFS_SIZE - len,
"\n======%s %s %s======\n", title, "\n======%s %s %s======\n", title,
" LIST OF BUFS ", title); " LIST OF BUFS ", title);