Merge "diag: Prevent out of bound access while initializing msg mask"
This commit is contained in:
Linux Build Service Account
Gerrit - the friendly Code Review server
commit
07923e8c47
4 changed files with 80 additions and 29 deletions
|
|
@ -337,13 +337,14 @@ static void diag_send_msg_mask_update(uint8_t peripheral, int first, int last)
|
|||
int err = 0;
|
||||
int header_len = sizeof(struct diag_ctrl_msg_mask);
|
||||
int temp_len = 0;
|
||||
uint8_t *buf = NULL, upd = 0;
|
||||
uint8_t *temp = NULL;
|
||||
uint8_t *buf = NULL, *temp = NULL;
|
||||
uint8_t upd = 0;
|
||||
uint8_t msg_mask_tbl_count_local = 0;
|
||||
uint32_t mask_size = 0;
|
||||
struct diag_mask_info *mask_info = NULL;
|
||||
struct diag_msg_mask_t *mask = NULL;
|
||||
struct diag_ctrl_msg_mask header;
|
||||
uint8_t msg_mask_tbl_count_local;
|
||||
struct diag_md_session_t *md_session_info = NULL;
|
||||
|
||||
if (peripheral >= NUM_PERIPHERALS)
|
||||
return;
|
||||
|
|
@ -357,15 +358,20 @@ static void diag_send_msg_mask_update(uint8_t peripheral, int first, int last)
|
|||
|
||||
if (driver->md_session_mask != 0) {
|
||||
if (driver->md_session_mask & MD_PERIPHERAL_MASK(peripheral)) {
|
||||
if (driver->md_session_map[peripheral])
|
||||
if (driver->md_session_map[peripheral]) {
|
||||
mask_info =
|
||||
driver->md_session_map[peripheral]->msg_mask;
|
||||
md_session_info =
|
||||
driver->md_session_map[peripheral];
|
||||
}
|
||||
} else if (driver->md_session_mask &
|
||||
MD_PERIPHERAL_PD_MASK(peripheral)) {
|
||||
upd = diag_mask_to_pd_value(driver->md_session_mask);
|
||||
if (upd && driver->md_session_map[upd])
|
||||
if (upd && driver->md_session_map[upd]) {
|
||||
mask_info =
|
||||
driver->md_session_map[upd]->msg_mask;
|
||||
md_session_info = driver->md_session_map[upd];
|
||||
}
|
||||
} else {
|
||||
DIAG_LOG(DIAG_DEBUG_MASKS,
|
||||
"asking for mask update with unknown session mask\n");
|
||||
|
|
@ -384,7 +390,10 @@ static void diag_send_msg_mask_update(uint8_t peripheral, int first, int last)
|
|||
return;
|
||||
}
|
||||
buf = mask_info->update_buf;
|
||||
msg_mask_tbl_count_local = driver->msg_mask_tbl_count;
|
||||
if (md_session_info)
|
||||
msg_mask_tbl_count_local = md_session_info->msg_mask_tbl_count;
|
||||
else
|
||||
msg_mask_tbl_count_local = driver->msg_mask_tbl_count;
|
||||
mutex_unlock(&driver->msg_mask_lock);
|
||||
mutex_lock(&mask_info->lock);
|
||||
switch (mask_info->status) {
|
||||
|
|
@ -567,6 +576,7 @@ static int diag_cmd_get_ssid_range(unsigned char *src_buf, int src_len,
|
|||
{
|
||||
int i;
|
||||
int write_len = 0;
|
||||
uint8_t msg_mask_tbl_count = 0;
|
||||
struct diag_msg_mask_t *mask_ptr = NULL;
|
||||
struct diag_msg_ssid_query_t rsp;
|
||||
struct diag_ssid_range_t ssid_range;
|
||||
|
|
@ -596,15 +606,17 @@ static int diag_cmd_get_ssid_range(unsigned char *src_buf, int src_len,
|
|||
return 0;
|
||||
}
|
||||
mutex_lock(&driver->msg_mask_lock);
|
||||
msg_mask_tbl_count = (info) ? info->msg_mask_tbl_count :
|
||||
driver->msg_mask_tbl_count;
|
||||
rsp.cmd_code = DIAG_CMD_MSG_CONFIG;
|
||||
rsp.sub_cmd = DIAG_CMD_OP_GET_SSID_RANGE;
|
||||
rsp.status = MSG_STATUS_SUCCESS;
|
||||
rsp.padding = 0;
|
||||
rsp.count = driver->msg_mask_tbl_count;
|
||||
rsp.count = msg_mask_tbl_count;
|
||||
memcpy(dest_buf, &rsp, sizeof(rsp));
|
||||
write_len += sizeof(rsp);
|
||||
mask_ptr = (struct diag_msg_mask_t *)mask_info->ptr;
|
||||
for (i = 0; i < driver->msg_mask_tbl_count; i++, mask_ptr++) {
|
||||
for (i = 0; i < msg_mask_tbl_count; i++, mask_ptr++) {
|
||||
if (write_len + sizeof(ssid_range) > dest_len) {
|
||||
pr_err("diag: In %s, Truncating response due to size limitations of rsp buffer\n",
|
||||
__func__);
|
||||
|
|
@ -681,6 +693,7 @@ static int diag_cmd_get_msg_mask(unsigned char *src_buf, int src_len,
|
|||
int i;
|
||||
int write_len = 0;
|
||||
uint32_t mask_size = 0;
|
||||
uint8_t msg_mask_tbl_count = 0;
|
||||
struct diag_msg_mask_t *mask = NULL;
|
||||
struct diag_build_mask_req_t *req = NULL;
|
||||
struct diag_msg_build_mask_t rsp;
|
||||
|
|
@ -711,6 +724,8 @@ static int diag_cmd_get_msg_mask(unsigned char *src_buf, int src_len,
|
|||
}
|
||||
|
||||
mutex_lock(&driver->msg_mask_lock);
|
||||
msg_mask_tbl_count = (info) ? info->msg_mask_tbl_count :
|
||||
driver->msg_mask_tbl_count;
|
||||
req = (struct diag_build_mask_req_t *)src_buf;
|
||||
rsp.cmd_code = DIAG_CMD_MSG_CONFIG;
|
||||
rsp.sub_cmd = DIAG_CMD_OP_GET_MSG_MASK;
|
||||
|
|
@ -726,7 +741,7 @@ static int diag_cmd_get_msg_mask(unsigned char *src_buf, int src_len,
|
|||
mutex_unlock(&driver->md_session_lock);
|
||||
return -EINVAL;
|
||||
}
|
||||
for (i = 0; i < driver->msg_mask_tbl_count; i++, mask++) {
|
||||
for (i = 0; i < msg_mask_tbl_count; i++, mask++) {
|
||||
if (!mask->ptr)
|
||||
continue;
|
||||
if ((req->ssid_first < mask->ssid_first) ||
|
||||
|
|
@ -765,6 +780,7 @@ static int diag_cmd_set_msg_mask(unsigned char *src_buf, int src_len,
|
|||
struct diag_msg_mask_t *mask_next = NULL;
|
||||
uint32_t *temp = NULL;
|
||||
struct diag_md_session_t *info = NULL;
|
||||
uint8_t msg_mask_tbl_count = 0;
|
||||
|
||||
mutex_lock(&driver->md_session_lock);
|
||||
info = diag_md_session_get_pid(pid);
|
||||
|
|
@ -797,10 +813,12 @@ static int diag_cmd_set_msg_mask(unsigned char *src_buf, int src_len,
|
|||
mutex_unlock(&driver->md_session_lock);
|
||||
return -EINVAL;
|
||||
}
|
||||
for (i = 0; i < driver->msg_mask_tbl_count; i++, mask++) {
|
||||
msg_mask_tbl_count = (info) ? info->msg_mask_tbl_count :
|
||||
driver->msg_mask_tbl_count;
|
||||
for (i = 0; i < msg_mask_tbl_count; i++, mask++) {
|
||||
if (!mask->ptr)
|
||||
continue;
|
||||
if (i < (driver->msg_mask_tbl_count - 1)) {
|
||||
if (i < (msg_mask_tbl_count - 1)) {
|
||||
mask_next = mask;
|
||||
mask_next++;
|
||||
} else
|
||||
|
|
@ -904,6 +922,7 @@ static int diag_cmd_set_all_msg_mask(unsigned char *src_buf, int src_len,
|
|||
struct diag_msg_mask_t *mask = NULL;
|
||||
struct diag_mask_info *mask_info = NULL;
|
||||
struct diag_md_session_t *info = NULL;
|
||||
uint8_t msg_mask_tbl_count = 0;
|
||||
|
||||
mutex_lock(&driver->md_session_lock);
|
||||
info = diag_md_session_get_pid(pid);
|
||||
|
|
@ -938,9 +957,11 @@ static int diag_cmd_set_all_msg_mask(unsigned char *src_buf, int src_len,
|
|||
mutex_unlock(&driver->md_session_lock);
|
||||
return -EINVAL;
|
||||
}
|
||||
msg_mask_tbl_count = (info) ? info->msg_mask_tbl_count :
|
||||
driver->msg_mask_tbl_count;
|
||||
mask_info->status = (req->rt_mask) ? DIAG_CTRL_MASK_ALL_ENABLED :
|
||||
DIAG_CTRL_MASK_ALL_DISABLED;
|
||||
for (i = 0; i < driver->msg_mask_tbl_count; i++, mask++) {
|
||||
for (i = 0; i < msg_mask_tbl_count; i++, mask++) {
|
||||
if (mask && mask->ptr) {
|
||||
mutex_lock(&mask->lock);
|
||||
memset(mask->ptr, req->rt_mask,
|
||||
|
|
@ -1731,7 +1752,6 @@ static int __diag_mask_init(struct diag_mask_info *mask_info, int mask_len,
|
|||
}
|
||||
kmemleak_not_leak(mask_info->update_buf);
|
||||
}
|
||||
mutex_init(&mask_info->lock);
|
||||
return 0;
|
||||
}
|
||||
|
||||
|
|
@ -1755,9 +1775,10 @@ int diag_log_mask_copy(struct diag_mask_info *dest, struct diag_mask_info *src)
|
|||
struct diag_log_mask_t *src_mask = NULL;
|
||||
struct diag_log_mask_t *dest_mask = NULL;
|
||||
|
||||
if (!src)
|
||||
if (!src || !dest)
|
||||
return -EINVAL;
|
||||
|
||||
mutex_init(&dest->lock);
|
||||
err = __diag_mask_init(dest, LOG_MASK_SIZE, APPS_BUF_SIZE);
|
||||
if (err)
|
||||
return err;
|
||||
|
|
@ -1820,9 +1841,11 @@ static int diag_msg_mask_init(void)
|
|||
int err = 0;
|
||||
int i;
|
||||
|
||||
mutex_init(&msg_mask.lock);
|
||||
err = __diag_mask_init(&msg_mask, MSG_MASK_SIZE, APPS_BUF_SIZE);
|
||||
if (err)
|
||||
return err;
|
||||
|
||||
err = diag_create_msg_mask_table();
|
||||
if (err) {
|
||||
pr_err("diag: Unable to create msg masks, err: %d\n", err);
|
||||
|
|
@ -1837,7 +1860,8 @@ static int diag_msg_mask_init(void)
|
|||
return 0;
|
||||
}
|
||||
|
||||
int diag_msg_mask_copy(struct diag_mask_info *dest, struct diag_mask_info *src)
|
||||
int diag_msg_mask_copy(struct diag_md_session_t *new_session,
|
||||
struct diag_mask_info *dest, struct diag_mask_info *src)
|
||||
{
|
||||
int i;
|
||||
int err = 0;
|
||||
|
|
@ -1848,17 +1872,25 @@ int diag_msg_mask_copy(struct diag_mask_info *dest, struct diag_mask_info *src)
|
|||
if (!src || !dest)
|
||||
return -EINVAL;
|
||||
|
||||
err = __diag_mask_init(dest, MSG_MASK_SIZE, APPS_BUF_SIZE);
|
||||
if (err)
|
||||
return err;
|
||||
mutex_init(&dest->lock);
|
||||
mutex_lock(&dest->lock);
|
||||
mutex_lock(&driver->msg_mask_lock);
|
||||
new_session->msg_mask_tbl_count =
|
||||
driver->msg_mask_tbl_count;
|
||||
err = __diag_mask_init(dest,
|
||||
(new_session->msg_mask_tbl_count *
|
||||
sizeof(struct diag_msg_mask_t)), APPS_BUF_SIZE);
|
||||
if (err) {
|
||||
mutex_unlock(&driver->msg_mask_lock);
|
||||
mutex_unlock(&dest->lock);
|
||||
return err;
|
||||
}
|
||||
src_mask = (struct diag_msg_mask_t *)src->ptr;
|
||||
dest_mask = (struct diag_msg_mask_t *)dest->ptr;
|
||||
|
||||
dest->mask_len = src->mask_len;
|
||||
dest->status = src->status;
|
||||
for (i = 0; i < driver->msg_mask_tbl_count; i++) {
|
||||
for (i = 0; i < new_session->msg_mask_tbl_count; i++) {
|
||||
range.ssid_first = src_mask->ssid_first;
|
||||
range.ssid_last = src_mask->ssid_last;
|
||||
err = diag_create_msg_mask_table_entry(dest_mask, &range);
|
||||
|
|
@ -1874,10 +1906,12 @@ int diag_msg_mask_copy(struct diag_mask_info *dest, struct diag_mask_info *src)
|
|||
return err;
|
||||
}
|
||||
|
||||
void diag_msg_mask_free(struct diag_mask_info *mask_info)
|
||||
void diag_msg_mask_free(struct diag_mask_info *mask_info,
|
||||
struct diag_md_session_t *session_info)
|
||||
{
|
||||
int i;
|
||||
struct diag_msg_mask_t *mask = NULL;
|
||||
uint8_t msg_mask_tbl_count = 0;
|
||||
|
||||
if (!mask_info || !mask_info->ptr)
|
||||
return;
|
||||
|
|
@ -1891,7 +1925,10 @@ void diag_msg_mask_free(struct diag_mask_info *mask_info)
|
|||
mutex_unlock(&mask_info->lock);
|
||||
return;
|
||||
}
|
||||
for (i = 0; i < driver->msg_mask_tbl_count; i++, mask++) {
|
||||
msg_mask_tbl_count = (session_info) ?
|
||||
session_info->msg_mask_tbl_count :
|
||||
driver->msg_mask_tbl_count;
|
||||
for (i = 0; i < msg_mask_tbl_count; i++, mask++) {
|
||||
kfree(mask->ptr);
|
||||
mask->ptr = NULL;
|
||||
}
|
||||
|
|
@ -1922,6 +1959,7 @@ static int diag_build_time_mask_init(void)
|
|||
int err = 0;
|
||||
|
||||
/* There is no need for update buffer for Build Time masks */
|
||||
mutex_init(&msg_bt_mask.lock);
|
||||
err = __diag_mask_init(&msg_bt_mask, MSG_MASK_SIZE, 0);
|
||||
if (err)
|
||||
return err;
|
||||
|
|
@ -1955,6 +1993,7 @@ static int diag_log_mask_init(void)
|
|||
int err = 0;
|
||||
int i;
|
||||
|
||||
mutex_init(&log_mask.lock);
|
||||
err = __diag_mask_init(&log_mask, LOG_MASK_SIZE, APPS_BUF_SIZE);
|
||||
if (err)
|
||||
return err;
|
||||
|
|
@ -1989,6 +2028,7 @@ static int diag_event_mask_init(void)
|
|||
int err = 0;
|
||||
int i;
|
||||
|
||||
mutex_init(&event_mask.lock);
|
||||
err = __diag_mask_init(&event_mask, EVENT_MASK_SIZE, APPS_BUF_SIZE);
|
||||
if (err)
|
||||
return err;
|
||||
|
|
@ -2010,6 +2050,7 @@ int diag_event_mask_copy(struct diag_mask_info *dest,
|
|||
if (!src || !dest)
|
||||
return -EINVAL;
|
||||
|
||||
mutex_init(&dest->lock);
|
||||
err = __diag_mask_init(dest, EVENT_MASK_SIZE, APPS_BUF_SIZE);
|
||||
if (err)
|
||||
return err;
|
||||
|
|
@ -2049,6 +2090,7 @@ int diag_copy_to_user_msg_mask(char __user *buf, size_t count,
|
|||
struct diag_mask_info *mask_info = NULL;
|
||||
struct diag_msg_mask_t *mask = NULL;
|
||||
unsigned char *ptr = NULL;
|
||||
uint8_t msg_mask_tbl_count = 0;
|
||||
|
||||
if (!buf || count == 0)
|
||||
return -EINVAL;
|
||||
|
|
@ -2081,7 +2123,9 @@ int diag_copy_to_user_msg_mask(char __user *buf, size_t count,
|
|||
mutex_unlock(&mask_info->lock);
|
||||
return -EINVAL;
|
||||
}
|
||||
for (i = 0; i < driver->msg_mask_tbl_count; i++, mask++) {
|
||||
msg_mask_tbl_count = (info) ? info->msg_mask_tbl_count :
|
||||
driver->msg_mask_tbl_count;
|
||||
for (i = 0; i < msg_mask_tbl_count; i++, mask++) {
|
||||
if (!mask->ptr)
|
||||
continue;
|
||||
ptr = mask_info->update_buf;
|
||||
|
|
|
|||
|
|
@ -160,12 +160,13 @@ int diag_masks_init(void);
|
|||
void diag_masks_exit(void);
|
||||
int diag_log_mask_copy(struct diag_mask_info *dest,
|
||||
struct diag_mask_info *src);
|
||||
int diag_msg_mask_copy(struct diag_mask_info *dest,
|
||||
struct diag_mask_info *src);
|
||||
int diag_msg_mask_copy(struct diag_md_session_t *new_session,
|
||||
struct diag_mask_info *dest, struct diag_mask_info *src);
|
||||
int diag_event_mask_copy(struct diag_mask_info *dest,
|
||||
struct diag_mask_info *src);
|
||||
void diag_log_mask_free(struct diag_mask_info *mask_info);
|
||||
void diag_msg_mask_free(struct diag_mask_info *mask_info);
|
||||
void diag_msg_mask_free(struct diag_mask_info *mask_info,
|
||||
struct diag_md_session_t *session_info);
|
||||
void diag_event_mask_free(struct diag_mask_info *mask_info);
|
||||
int diag_process_apps_masks(unsigned char *buf, int len, int pid);
|
||||
void diag_send_updates_peripheral(uint8_t peripheral);
|
||||
|
|
|
|||
|
|
@ -442,6 +442,7 @@ struct diag_md_session_t {
|
|||
int pid;
|
||||
int peripheral_mask;
|
||||
uint8_t hdlc_disabled;
|
||||
uint8_t msg_mask_tbl_count;
|
||||
struct timer_list hdlc_reset_timer;
|
||||
struct diag_mask_info *msg_mask;
|
||||
struct diag_mask_info *log_mask;
|
||||
|
|
|
|||
|
|
@ -1299,7 +1299,8 @@ static void diag_md_session_exit(void)
|
|||
diag_log_mask_free(session_info->log_mask);
|
||||
kfree(session_info->log_mask);
|
||||
session_info->log_mask = NULL;
|
||||
diag_msg_mask_free(session_info->msg_mask);
|
||||
diag_msg_mask_free(session_info->msg_mask,
|
||||
session_info);
|
||||
kfree(session_info->msg_mask);
|
||||
session_info->msg_mask = NULL;
|
||||
diag_event_mask_free(session_info->event_mask);
|
||||
|
|
@ -1371,7 +1372,9 @@ int diag_md_session_create(int mode, int peripheral_mask, int proc)
|
|||
"return value of event copy. err %d\n", err);
|
||||
goto fail_peripheral;
|
||||
}
|
||||
err = diag_msg_mask_copy(new_session->msg_mask, &msg_mask);
|
||||
new_session->msg_mask_tbl_count = 0;
|
||||
err = diag_msg_mask_copy(new_session, new_session->msg_mask,
|
||||
&msg_mask);
|
||||
if (err) {
|
||||
DIAG_LOG(DIAG_DEBUG_USERSPACE,
|
||||
"return value of msg copy. err %d\n", err);
|
||||
|
|
@ -1407,7 +1410,8 @@ fail_peripheral:
|
|||
diag_event_mask_free(new_session->event_mask);
|
||||
kfree(new_session->event_mask);
|
||||
new_session->event_mask = NULL;
|
||||
diag_msg_mask_free(new_session->msg_mask);
|
||||
diag_msg_mask_free(new_session->msg_mask,
|
||||
new_session);
|
||||
kfree(new_session->msg_mask);
|
||||
new_session->msg_mask = NULL;
|
||||
kfree(new_session);
|
||||
|
|
@ -1435,7 +1439,8 @@ static void diag_md_session_close(int pid)
|
|||
diag_log_mask_free(session_info->log_mask);
|
||||
kfree(session_info->log_mask);
|
||||
session_info->log_mask = NULL;
|
||||
diag_msg_mask_free(session_info->msg_mask);
|
||||
diag_msg_mask_free(session_info->msg_mask,
|
||||
session_info);
|
||||
kfree(session_info->msg_mask);
|
||||
session_info->msg_mask = NULL;
|
||||
diag_event_mask_free(session_info->event_mask);
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue