Skip to content

Commit bcab196

Browse files
Ravi Kumar BokkaExactExampl
Ravi Kumar Bokka
authored and
ExactExampl
committed
securemsm-kernel: Fixed multiple listener registration on same fd
Added check to prevent more than one listener registration on a fd. This could lead to potential vulnerabilities of use after free while unregistering the listener. Change-Id: Ia2973853943b5619bcf2047629b9c193f6a8c5cf Signed-off-by: Pawan Rai <quic_pawarai@quicinc.com> Signed-off-by: Ravi Kumar Bokka <quic_c_rbokka@quicinc.com>
1 parent e3c6c8b commit bcab196

1 file changed

Lines changed: 16 additions & 1 deletion

File tree

drivers/misc/qseecom.c

Lines changed: 16 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -332,7 +332,7 @@ struct qseecom_client_handle {
332332

333333
struct qseecom_listener_handle {
334334
u32 id;
335-
bool unregister_pending;
335+
bool register_pending;
336336
bool release_called;
337337
};
338338

@@ -1207,6 +1207,11 @@ static int qseecom_register_listener(struct qseecom_dev_handle *data,
12071207
struct qseecom_registered_listener_list *new_entry;
12081208
struct qseecom_registered_listener_list *ptr_svc;
12091209

1210+
if (data->listener.register_pending) {
1211+
pr_err("Already a listner registration is in process on this FD\n");
1212+
return -EINVAL;
1213+
}
1214+
12101215
ret = copy_from_user(&rcvd_lstnr, argp, sizeof(rcvd_lstnr));
12111216
if (ret) {
12121217
pr_err("copy_from_user failed\n");
@@ -1216,6 +1221,13 @@ static int qseecom_register_listener(struct qseecom_dev_handle *data,
12161221
rcvd_lstnr.sb_size))
12171222
return -EFAULT;
12181223

1224+
ptr_svc = __qseecom_find_svc(data->listener.id);
1225+
if (ptr_svc) {
1226+
pr_err("Already a listener registered on this data: lid=%d\n",
1227+
data->listener.id);
1228+
return -EINVAL;
1229+
}
1230+
12191231
ptr_svc = __qseecom_find_svc(rcvd_lstnr.listener_id);
12201232
if (ptr_svc) {
12211233
if (ptr_svc->unregister_pending == false) {
@@ -1250,12 +1262,15 @@ static int qseecom_register_listener(struct qseecom_dev_handle *data,
12501262
new_entry->svc.listener_id = rcvd_lstnr.listener_id;
12511263
new_entry->sb_length = rcvd_lstnr.sb_size;
12521264
new_entry->user_virt_sb_base = rcvd_lstnr.virt_sb_base;
1265+
data->listener.register_pending = true;
12531266
if (__qseecom_set_sb_memory(new_entry, data, &rcvd_lstnr)) {
12541267
pr_err("qseecom_set_sb_memory failed for listener %d, size %d\n",
12551268
rcvd_lstnr.listener_id, rcvd_lstnr.sb_size);
12561269
kzfree(new_entry);
1270+
data->listener.register_pending = false;
12571271
return -ENOMEM;
12581272
}
1273+
data->listener.register_pending = false;
12591274

12601275
init_waitqueue_head(&new_entry->rcv_req_wq);
12611276
init_waitqueue_head(&new_entry->listener_block_app_wq);

0 commit comments

Comments
 (0)