From fbfd19948f6f87e88c89b509d4776ee7a55895cd Mon Sep 17 00:00:00 2001 From: Skylar Chang Date: Fri, 22 Jul 2016 15:03:16 -0700 Subject: [PATCH] msm: ipa: handle information leak on ADD_FLT_RULE_INDEX ioctl IPA might have Information leak and device crash due to kernel heap overread in IPA driver when processing WAN_IOC_ADD_FLT_RULE_INDEX ioctl. The fix is to add check on max number of filter rules send to modem. Change-Id: I454e04d05cfcb7af8fc4bd2b4a1bade55c4684d0 Signed-off-by: Skylar Chang --- drivers/platform/msm/ipa/ipa_v2/ipa_qmi_service.c | 9 +++++++-- drivers/platform/msm/ipa/ipa_v3/ipa_qmi_service.c | 9 +++++++-- 2 files changed, 14 insertions(+), 4 deletions(-) diff --git a/drivers/platform/msm/ipa/ipa_v2/ipa_qmi_service.c b/drivers/platform/msm/ipa/ipa_v2/ipa_qmi_service.c index d5d2abe137f4..137a43a1217b 100644 --- a/drivers/platform/msm/ipa/ipa_v2/ipa_qmi_service.c +++ b/drivers/platform/msm/ipa/ipa_v2/ipa_qmi_service.c @@ -160,7 +160,7 @@ static int handle_install_filter_rule_req(void *req_h, void *req) resp.filter_handle_list_len = MAX_NUM_Q6_RULE; IPAWANERR("installed (%d) max Q6-UL rules ", MAX_NUM_Q6_RULE); - IPAWANERR("but modem gives total (%d)\n", + IPAWANERR("but modem gives total (%u)\n", rule_req->filter_spec_list_len); } else { resp.filter_handle_list_len = @@ -513,7 +513,7 @@ int qmi_filter_request_send(struct ipa_install_fltr_rule_req_msg_v01 *req) if (req->filter_spec_list_len == 0) { IPAWANDBG("IPACM pass zero rules to Q6\n"); } else { - IPAWANDBG("IPACM pass %d rules to Q6\n", + IPAWANDBG("IPACM pass %u rules to Q6\n", req->filter_spec_list_len); } @@ -649,6 +649,11 @@ int qmi_filter_notify_send(struct ipa_fltr_installed_notif_req_msg_v01 *req) IPAWANERR(" delete UL filter rule for pipe %d\n", req->source_pipe_index); return -EINVAL; + } else if (req->filter_index_list_len > QMI_IPA_MAX_FILTERS_V01) { + IPAWANERR(" UL filter rule for pipe %d exceed max (%u)\n", + req->source_pipe_index, + req->filter_index_list_len); + return -EINVAL; } else if (req->filter_index_list[0].filter_index == 0 && req->source_pipe_index != ipa2_get_ep_mapping(IPA_CLIENT_APPS_LAN_WAN_PROD)) { diff --git a/drivers/platform/msm/ipa/ipa_v3/ipa_qmi_service.c b/drivers/platform/msm/ipa/ipa_v3/ipa_qmi_service.c index 534a37d906fc..d68a2ce3c041 100644 --- a/drivers/platform/msm/ipa/ipa_v3/ipa_qmi_service.c +++ b/drivers/platform/msm/ipa/ipa_v3/ipa_qmi_service.c @@ -169,7 +169,7 @@ static int ipa3_handle_install_filter_rule_req(void *req_h, void *req) resp.rule_id_len = MAX_NUM_Q6_RULE; IPAWANERR("installed (%d) max Q6-UL rules ", MAX_NUM_Q6_RULE); - IPAWANERR("but modem gives total (%d)\n", + IPAWANERR("but modem gives total (%u)\n", rule_req->filter_spec_ex_list_len); } else { resp.rule_id_len = @@ -592,7 +592,7 @@ int ipa3_qmi_filter_request_send(struct ipa_install_fltr_rule_req_msg_v01 *req) if (req->filter_spec_ex_list_len == 0) { IPAWANDBG("IPACM pass zero rules to Q6\n"); } else { - IPAWANDBG("IPACM pass %d rules to Q6\n", + IPAWANDBG("IPACM pass %u rules to Q6\n", req->filter_spec_ex_list_len); } @@ -725,6 +725,11 @@ int ipa3_qmi_filter_notify_send( IPAWANERR(" delete UL filter rule for pipe %d\n", req->source_pipe_index); return -EINVAL; + } else if (req->rule_id_len > QMI_IPA_MAX_FILTERS_V01) { + IPAWANERR(" UL filter rule for pipe %d exceed max (%u)\n", + req->source_pipe_index, + req->rule_id_len); + return -EINVAL; } /* cache the qmi_filter_request */