Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp8125608imu;
        Tue, 4 Dec 2018 03:26:49 -0800 (PST)
X-Google-Smtp-Source: AFSGD/W95t7/G3KosKQFV+LDC8QYyIwPqufTIJZVjRzY+ajTw9+W1VEP9lbEOj1PjzUvYwKfTY/b
X-Received: by 2002:a63:fc49:: with SMTP id r9mr16035926pgk.209.1543922809013;
        Tue, 04 Dec 2018 03:26:49 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1543922808; cv=none;
        d=google.com; s=arc-20160816;
        b=T1E57UxGYLgZGVdbL8B2ptF2zmOYIpD8zBrIePJ5nyE7s2aEOOfe/xeuh+wh/KAI2q
         RVYw5f4TjzKSOH9Pzqcmxor9mX5IgVweKl1dxM8fHXDx+ODxe0khpytWmOCwwXFqSfXl
         huJHTW6xlD3T2uDMitUvom2tHZofFAc0LvJb6FTiLeFjIJBEdd1EDklWmFNMjB1T0iFk
         6yb7ZoA+MTsV2hoc1GJ3pb/YBqCPwVIN3Re3DTNSOcEQQF5QvL/UQ2hhpgfP6NJwtB03
         Qc+MYa0iZqw2Ak84luGWdSHTCuWYlbEeC/WC/Quo1wU1DLMeGjVvIthvynfUuumbErvP
         mv7Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:message-id:date:subject:cc:to
         :from:dkim-signature;
        bh=W6hhKWbOqnqlLwyFqhe0hs5j1iVYJyR/n2G3KDY9iog=;
        b=RkKHFWnKGKVLr6WJ1+njdYcC2SpUlLAvbOnUWBU4ddTPSPBcC1JN9sLRxo9lJ9B07g
         1IBLKTVxxOhgxCicyUa8xRR8D2EkF438x8N2lVeXjTFxiVVYWALDyMGQw3Kz+FAhniJy
         VQ7zxj2AWXWSZIe0vhVwdXQuMMRyFAzLN1YF32Tgxwg/Du6h8/WGe5i6m2iXqkMTGbAr
         PnwYZaKNP0Nh0AHZZowW1rss4Wxli05H+4N06QVIXuJ/WxkZrCjka0ZSlsmFSFZAIkTH
         pNbOKvpP/WE8zsf52t5DW++pBwIu8ip25ZvWEfJzx4ux7MCwUgk9foXrLLJ5/Giv1e+T
         r5ng==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=amNyvVC0;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id f5si16749830pfn.259.2018.12.04.03.26.34;
        Tue, 04 Dec 2018 03:26:48 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=amNyvVC0;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726991AbeLDL0B (ORCPT <rfc822;zzmahb@gmail.com> + 99 others);
        Tue, 4 Dec 2018 06:26:01 -0500
Received: from mail.kernel.org ([198.145.29.99]:45476 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1726910AbeLDLAN (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 4 Dec 2018 06:00:13 -0500
Received: from localhost (5356596B.cm-6-7b.dynamic.ziggo.nl [83.86.89.107])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by mail.kernel.org (Postfix) with ESMTPSA id 9A2CA2087F;
        Tue,  4 Dec 2018 11:00:12 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
        s=default; t=1543921213;
        bh=f/w3rFd/SxjncCtGkDPhV+36TZJxoISwoHw9Woz1sRM=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=amNyvVC01pOHe8kTLkzKdZgCuRe6URX9cDj8rPiW9I6e9uWKIjuVuNIEBRuictb8T
         QW0sX4p96iq2WO0fGxs0Ytnz8EGlZf7xhYP+qqgU/TmTbnnQKkbUCpcMJYzu/NXNkJ
         PrhDtXUgRFatNw5exfbNhDstkTBQu+c+2tT/7ofE=
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org, Ben Wolsieffer <benwolsieffer@gmail.com>,
        Stefan Wahren <stefan.wahren@i2se.com>
Subject: [PATCH 4.19 125/139] staging: vchiq_arm: fix compat VCHIQ_IOC_AWAIT_COMPLETION
Date:   Tue,  4 Dec 2018 11:50:06 +0100
Message-Id: <20181204103655.861088088@linuxfoundation.org>
X-Mailer: git-send-email 2.19.2
In-Reply-To: <20181204103649.950154335@linuxfoundation.org>
References: <20181204103649.950154335@linuxfoundation.org>
User-Agent: quilt/0.65
X-stable: review
X-Patchwork-Hint: ignore
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

4.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Ben Wolsieffer <benwolsieffer@gmail.com>

commit 5a96b2d38dc054c0bbcbcd585b116566cbd877fe upstream.

The compatibility ioctl wrapper for VCHIQ_IOC_AWAIT_COMPLETION assumes that
the native ioctl always uses a message buffer and decrements msgbufcount.
Certain message types do not use a message buffer and in this case
msgbufcount is not decremented, and completion->header for the message is
NULL. Because the wrapper unconditionally decrements msgbufcount, the
calling process may assume that a message buffer has been used even when
it has not.

This results in a memory leak in the userspace code that interfaces with
this driver. When msgbufcount is decremented, the userspace code assumes
that the buffer can be freed though the reference in completion->header,
which cannot happen when the reference is NULL.

This patch causes the wrapper to only decrement msgbufcount when the
native ioctl decrements it. Note that we cannot simply copy the native
ioctl's value of msgbufcount, because the wrapper only retrieves messages
from the native ioctl one at a time, while userspace may request multiple
messages.

See https://github.com/raspberrypi/linux/pull/2703 for more discussion of
this patch.

Fixes: 5569a1260933 ("staging: vchiq_arm: Add compatibility wrappers for ioctls")
Signed-off-by: Ben Wolsieffer <benwolsieffer@gmail.com>
Acked-by: Stefan Wahren <stefan.wahren@i2se.com>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/staging/vc04_services/interface/vchiq_arm/vchiq_arm.c |    7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

--- a/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_arm.c
+++ b/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_arm.c
@@ -1787,6 +1787,7 @@ vchiq_compat_ioctl_await_completion(stru
 	struct vchiq_await_completion32 args32;
 	struct vchiq_completion_data32 completion32;
 	unsigned int *msgbufcount32;
+	unsigned int msgbufcount_native;
 	compat_uptr_t msgbuf32;
 	void *msgbuf;
 	void **msgbufptr;
@@ -1898,7 +1899,11 @@ vchiq_compat_ioctl_await_completion(stru
 			 sizeof(completion32)))
 		return -EFAULT;
 
-	args32.msgbufcount--;
+	if (get_user(msgbufcount_native, &args->msgbufcount))
+		return -EFAULT;
+
+	if (!msgbufcount_native)
+		args32.msgbufcount--;
 
 	msgbufcount32 =
 		&((struct vchiq_await_completion32 __user *)arg)->msgbufcount;