android/android_kernel_xiaomi_sm8450
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

iommu: Fix missing return check of arm_lpae_init_pte

Browse Source 
UAF scenario may occur in clients with EL1 privileges for
iova mappings when we miss to check the return value of
arm_lpae_init_pte which may lead to an PTE be counted as
it was set even if it was already existing. This can cause a
dangling IOMMU PTE to be left mapped pointing to a
freed object and cause UAF in the client if the dangling PTE
is accessed after a failed unmap operation.

Change-Id: I674b9b520e705b8f8e63ba20ed76e64cb2fe0f47
Fixes: 9913ccceda61 ("qcom-iommu-util: Take a snapshot of the qcom-iommu-util module from msm-5.15")
[quic_pbrahma@quicinc.com: Propagated fix to the new file
 with the bug signature ]
Signed-off-by: Pratyush Brahma <quic_pbrahma@quicinc.com>
This commit is contained in:
Pratyush Brahma 2023-09-22 17:00:04 +05:30 committed by Srinivasarao Pathipati
parent a045da1596
commit d03bccde07
1 changed files with 3 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
drivers/iommu/qcom-io-pgtable-arm.c
View File

@ -727,8 +727,10 @@ static int arm_lpae_map_by_pgsize(struct io_pgtable_ops *ops,
if (ms->pgtable && (iova < ms->iova_end)) {
ms_ptep = ms->pgtable + ARM_LPAE_LVL_IDX(iova, MAP_STATE_LVL, data);
arm_lpae_init_pte(data, iova, paddr, prot, MAP_STATE_LVL,
ret = arm_lpae_init_pte(data, iova, paddr, prot, MAP_STATE_LVL,
1, ms_ptep, ms->prev_pgtable, false);
if (ret)
return ret;
ms->num_pte++;
} else {
ret = __arm_lpae_map(data, iova, paddr, pgsize, 1,