dsp: q6lsm: Address use after free for mmap handle

The global declared mmap_handle can be left dangling for case when the handle is freed by the calling function. Fix is to address this. Also add a check to make sure the mmap_handle is accessed legally. Change-Id: I367f8a41339aa0025b545b125ee820220efedeee Signed-off-by: Soumya Managoli <quic_c_smanag@quicinc.com>
2023-07-20 14:40:44 +05:30 · 2023-07-20 14:40:44 +05:30 · 79f709cdec
commit 79f709cdec
parent 01db7bcebc
1 changed files with 7 additions and 1 deletions
--- a/dsp/q6lsm.c
+++ b/dsp/q6lsm.c
@ -484,6 +484,10 @@ static int q6lsm_apr_send_pkt(struct lsm_client *client, void *handle,
 	}

 	pr_debug("%s: enter wait %d\n", __func__, wait);
+	if (mmap_handle_p) {
+		pr_debug("%s: Invalid mmap_handle\n", __func__);
+		return -EINVAL;
+	}
 	if (wait)
 		mutex_lock(&lsm_common.apr_lock);
 	if (mmap_p) {
@ -536,6 +540,7 @@ static int q6lsm_apr_send_pkt(struct lsm_client *client, void *handle,

 	if (mmap_p && *mmap_p == 0)
 		ret = -ENOMEM;
+	mmap_handle_p = NULL;
 	pr_debug("%s: leave ret %d\n", __func__, ret);
 	return ret;
 }
@ -2140,7 +2145,8 @@ static int q6lsm_mmapcallback(struct apr_client_data *data, void *priv)
 	case LSM_SESSION_CMDRSP_SHARED_MEM_MAP_REGIONS:
 		if (atomic_read(&client->cmd_state) == CMD_STATE_WAIT_RESP) {
 			spin_lock_irqsave(&mmap_lock, flags);
-			*mmap_handle_p = command;
+			if (mmap_handle_p)
+				*mmap_handle_p = command;
 			/* spin_unlock_irqrestore implies barrier */
 			spin_unlock_irqrestore(&mmap_lock, flags);
 			atomic_set(&client->cmd_state, CMD_STATE_CLEARED);