diff options
| author | Deepak Kumar Singh <deesin@codeaurora.org> | 2020-02-05 15:53:02 +0530 |
|---|---|---|
| committer | Arun Kumar Neelakantam <aneela@codeaurora.org> | 2020-02-26 19:37:17 +0530 |
| commit | 9346632ccfe6946cf77b869403dbf65dcd6a24de (patch) | |
| tree | d03ac6aaf7373452ffc1adce9acb2f25f7b726f2 /net/ipc_router | |
| parent | 552e9ea21aed41a5c3e9d2c1626ceb05ffc461b5 (diff) | |
net: ipc_router: Do not allow change of default security rule
Default security rule is freed while it is being used to check
security permission in ipcrtr send api. This results in use
after free case.
Default security rule should not be changed, removing the code
to change default rule from user space.
CRs-Fixed: 2591650
Change-Id: I08788102a0748b6bc72cb3c77b46de2d65ede91d
Signed-off-by: Deepak Kumar Singh <deesin@codeaurora.org>
Diffstat (limited to 'net/ipc_router')
| -rw-r--r-- | net/ipc_router/ipc_router_security.c | 22 |
1 files changed, 8 insertions, 14 deletions
diff --git a/net/ipc_router/ipc_router_security.c b/net/ipc_router/ipc_router_security.c index 539c72f8158a..ab4e5003c05d 100644 --- a/net/ipc_router/ipc_router_security.c +++ b/net/ipc_router/ipc_router_security.c @@ -1,4 +1,4 @@ -/* Copyright (c) 2012-2014, The Linux Foundation. All rights reserved. +/* Copyright (c) 2012-2014,2020, The Linux Foundation. All rights reserved. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 and @@ -101,7 +101,7 @@ EXPORT_SYMBOL(check_permissions); int msm_ipc_config_sec_rules(void *arg) { struct config_sec_rules_args sec_rules_arg; - struct security_rule *rule, *temp_rule; + struct security_rule *rule; int key; size_t kgroup_info_sz; int ret; @@ -117,6 +117,10 @@ int msm_ipc_config_sec_rules(void *arg) if (ret) return -EFAULT; + /* Default rule change from config util not allowed */ + if (sec_rules_arg.service_id == ALL_SERVICE) + return -EINVAL; + if (sec_rules_arg.num_group_info <= 0) return -EINVAL; @@ -174,21 +178,11 @@ int msm_ipc_config_sec_rules(void *arg) key = rule->service_id & (SEC_RULES_HASH_SZ - 1); down_write(&security_rules_lock_lha4); - if (rule->service_id == ALL_SERVICE) { - temp_rule = list_first_entry(&security_rules[key], - struct security_rule, list); - list_del(&temp_rule->list); - kfree(temp_rule->group_id); - kfree(temp_rule); - } list_add_tail(&rule->list, &security_rules[key]); up_write(&security_rules_lock_lha4); - if (rule->service_id == ALL_SERVICE) - msm_ipc_sync_default_sec_rule((void *)rule); - else - msm_ipc_sync_sec_rule(rule->service_id, rule->instance_id, - (void *)rule); + msm_ipc_sync_sec_rule(rule->service_id, + rule->instance_id, (void *)rule); return 0; } |