Home Explore Help
Sign In
GfA
/
linux_kernel
5
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

staging: vchiq_arm: fix compat VCHIQ_IOC_AWAIT_COMPLETION

The compatibility ioctl wrapper for VCHIQ_IOC_AWAIT_COMPLETION assumes that
the native ioctl always uses a message buffer and decrements msgbufcount.
Certain message types do not use a message buffer and in this case
msgbufcount is not decremented, and completion->header for the message is
NULL. Because the wrapper unconditionally decrements msgbufcount, the
calling process may assume that a message buffer has been used even when
it has not.

This results in a memory leak in the userspace code that interfaces with
this driver. When msgbufcount is decremented, the userspace code assumes
that the buffer can be freed though the reference in completion->header,
which cannot happen when the reference is NULL.

This patch causes the wrapper to only decrement msgbufcount when the
native ioctl decrements it. Note that we cannot simply copy the native
ioctl's value of msgbufcount, because the wrapper only retrieves messages
from the native ioctl one at a time, while userspace may request multiple
messages.

See https://github.com/raspberrypi/linux/pull/2703 for more discussion of
this patch.

Fixes: 5569a1260933 ("staging: vchiq_arm: Add compatibility wrappers for ioctls")
Signed-off-by: Ben Wolsieffer <benwolsieffer@gmail.com>
Acked-by: Stefan Wahren <stefan.wahren@i2se.com>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Ben Wolsieffer 6 years ago
parent
cd56a51413
commit
5a96b2d38d
1 changed files with 6 additions and 1 deletions
Unified View Show Diff Stats
  1. 6 1
      drivers/staging/vc04_services/interface/vchiq_arm/vchiq_arm.c

+ 6 - 1
drivers/staging/vc04_services/interface/vchiq_arm/vchiq_arm.c
View File 

@@ -1795,6 +1795,7 @@ vchiq_compat_ioctl_await_completion(struct file *file,
 
 	struct vchiq_await_completion32 args32;
 
 	struct vchiq_await_completion32 args32;
 
 	struct vchiq_completion_data32 completion32;
 
 	struct vchiq_completion_data32 completion32;
 
 	unsigned int *msgbufcount32;
 
 	unsigned int *msgbufcount32;
 
+	unsigned int msgbufcount_native;
 
 	compat_uptr_t msgbuf32;
 
 	compat_uptr_t msgbuf32;
 
 	void *msgbuf;
 
 	void *msgbuf;
 
 	void **msgbufptr;
 
 	void **msgbufptr;
 
@@ -1906,7 +1907,11 @@ vchiq_compat_ioctl_await_completion(struct file *file,
 
 			 sizeof(completion32)))
 
 			 sizeof(completion32)))
 
 		return -EFAULT;
 
 		return -EFAULT;
 
 
 
-	args32.msgbufcount--;
 
+	if (get_user(msgbufcount_native, &args->msgbufcount))
 
+		return -EFAULT;
 
+
 
+	if (!msgbufcount_native)
 
+		args32.msgbufcount--;
 
 
 
 	msgbufcount32 =
 
 	msgbufcount32 =
 
 		&((struct vchiq_await_completion32 __user *)arg)->msgbufcount;
 
 		&((struct vchiq_await_completion32 __user *)arg)->msgbufcount;