msm:ADSPRPC :Fix to avoid Use after free in fastrpc_internal_munmap

Added a check to validate map before freeing it to avoid Use after free scenario. Change-Id: Ic723a4fe964a4909119663500018f2a07976105b Signed-off-by: Vamsi krishna Gattupalli <vgattupa@codeaurora.org> CVE-2021-1927
author: Vamsi krishna Gattupalli <vgattupa@codeaurora.org> 2020-12-02 12:59:03 +0530
committer: Michael Bestas <mkbestas@lineageos.org> 2021-08-19 08:44:20 +0300
commit: 42239a8d619a7b7264d77dc9262888f91349d205 (patch)
tree: 4114a80ca3612695425159dc1962a90762790ea7 /drivers
parent: f8b7327527d30cf96ffabd8434248feb3762707a (diff)
1 files changed, 7 insertions, 5 deletions
diff --git a/drivers/char/adsprpc.c b/drivers/char/adsprpc.c
index f427be48cfdf..86d65c3c6b92 100644
--- a/drivers/char/adsprpc.c
+++ b/drivers/char/adsprpc.c
@@ -2329,11 +2329,13 @@ static int fastrpc_internal_munmap(struct fastrpc_file *fl,
 	VERIFY(err, !fastrpc_mmap_remove(fl, ud->vaddrout, ud->size, &map));
 	if (err)
 		goto bail;
-	VERIFY(err, !fastrpc_munmap_on_dsp(fl, map->raddr,
-				map->phys, map->size, map->flags));
-	if (err)
-		goto bail;
-	fastrpc_mmap_free(map);
+	if (map) {
+		VERIFY(err, !fastrpc_munmap_on_dsp(fl, map->raddr,
+					map->phys, map->size, map->flags));
+		if (err)
+			goto bail;
+		fastrpc_mmap_free(map);
+	}
 bail:
 	if (err && map)
 		fastrpc_mmap_add(map);
author	Vamsi krishna Gattupalli <vgattupa@codeaurora.org>	2020-12-02 12:59:03 +0530
committer	Michael Bestas <mkbestas@lineageos.org>	2021-08-19 08:44:20 +0300
commit	42239a8d619a7b7264d77dc9262888f91349d205 (patch)
tree	4114a80ca3612695425159dc1962a90762790ea7 /drivers
parent	f8b7327527d30cf96ffabd8434248feb3762707a (diff)