From 79f709cdec3f032739b95467c3c70debb37ac13e Mon Sep 17 00:00:00 2001 From: Soumya Managoli Date: Thu, 20 Jul 2023 14:40:44 +0530 Subject: [PATCH] dsp: q6lsm: Address use after free for mmap handle The global declared mmap_handle can be left dangling for case when the handle is freed by the calling function. Fix is to address this. Also add a check to make sure the mmap_handle is accessed legally. Change-Id: I367f8a41339aa0025b545b125ee820220efedeee Signed-off-by: Soumya Managoli --- dsp/q6lsm.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/dsp/q6lsm.c b/dsp/q6lsm.c index 40a006b6e6f8..e1aad637d8be 100644 --- a/dsp/q6lsm.c +++ b/dsp/q6lsm.c @@ -484,6 +484,10 @@ static int q6lsm_apr_send_pkt(struct lsm_client *client, void *handle, } pr_debug("%s: enter wait %d\n", __func__, wait); + if (mmap_handle_p) { + pr_debug("%s: Invalid mmap_handle\n", __func__); + return -EINVAL; + } if (wait) mutex_lock(&lsm_common.apr_lock); if (mmap_p) { @@ -536,6 +540,7 @@ static int q6lsm_apr_send_pkt(struct lsm_client *client, void *handle, if (mmap_p && *mmap_p == 0) ret = -ENOMEM; + mmap_handle_p = NULL; pr_debug("%s: leave ret %d\n", __func__, ret); return ret; } @@ -2140,7 +2145,8 @@ static int q6lsm_mmapcallback(struct apr_client_data *data, void *priv) case LSM_SESSION_CMDRSP_SHARED_MEM_MAP_REGIONS: if (atomic_read(&client->cmd_state) == CMD_STATE_WAIT_RESP) { spin_lock_irqsave(&mmap_lock, flags); - *mmap_handle_p = command; + if (mmap_handle_p) + *mmap_handle_p = command; /* spin_unlock_irqrestore implies barrier */ spin_unlock_irqrestore(&mmap_lock, flags); atomic_set(&client->cmd_state, CMD_STATE_CLEARED);