Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp8125608imu; Tue, 4 Dec 2018 03:26:49 -0800 (PST) X-Google-Smtp-Source: AFSGD/W95t7/G3KosKQFV+LDC8QYyIwPqufTIJZVjRzY+ajTw9+W1VEP9lbEOj1PjzUvYwKfTY/b X-Received: by 2002:a63:fc49:: with SMTP id r9mr16035926pgk.209.1543922809013; Tue, 04 Dec 2018 03:26:49 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1543922808; cv=none; d=google.com; s=arc-20160816; b=T1E57UxGYLgZGVdbL8B2ptF2zmOYIpD8zBrIePJ5nyE7s2aEOOfe/xeuh+wh/KAI2q RVYw5f4TjzKSOH9Pzqcmxor9mX5IgVweKl1dxM8fHXDx+ODxe0khpytWmOCwwXFqSfXl huJHTW6xlD3T2uDMitUvom2tHZofFAc0LvJb6FTiLeFjIJBEdd1EDklWmFNMjB1T0iFk 6yb7ZoA+MTsV2hoc1GJ3pb/YBqCPwVIN3Re3DTNSOcEQQF5QvL/UQ2hhpgfP6NJwtB03 Qc+MYa0iZqw2Ak84luGWdSHTCuWYlbEeC/WC/Quo1wU1DLMeGjVvIthvynfUuumbErvP mv7Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=W6hhKWbOqnqlLwyFqhe0hs5j1iVYJyR/n2G3KDY9iog=; b=RkKHFWnKGKVLr6WJ1+njdYcC2SpUlLAvbOnUWBU4ddTPSPBcC1JN9sLRxo9lJ9B07g 1IBLKTVxxOhgxCicyUa8xRR8D2EkF438x8N2lVeXjTFxiVVYWALDyMGQw3Kz+FAhniJy VQ7zxj2AWXWSZIe0vhVwdXQuMMRyFAzLN1YF32Tgxwg/Du6h8/WGe5i6m2iXqkMTGbAr PnwYZaKNP0Nh0AHZZowW1rss4Wxli05H+4N06QVIXuJ/WxkZrCjka0ZSlsmFSFZAIkTH pNbOKvpP/WE8zsf52t5DW++pBwIu8ip25ZvWEfJzx4ux7MCwUgk9foXrLLJ5/Giv1e+T r5ng== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=amNyvVC0; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id f5si16749830pfn.259.2018.12.04.03.26.34; Tue, 04 Dec 2018 03:26:48 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=amNyvVC0; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726991AbeLDL0B (ORCPT + 99 others); Tue, 4 Dec 2018 06:26:01 -0500 Received: from mail.kernel.org ([198.145.29.99]:45476 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726910AbeLDLAN (ORCPT ); Tue, 4 Dec 2018 06:00:13 -0500 Received: from localhost (5356596B.cm-6-7b.dynamic.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 9A2CA2087F; Tue, 4 Dec 2018 11:00:12 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1543921213; bh=f/w3rFd/SxjncCtGkDPhV+36TZJxoISwoHw9Woz1sRM=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=amNyvVC01pOHe8kTLkzKdZgCuRe6URX9cDj8rPiW9I6e9uWKIjuVuNIEBRuictb8T QW0sX4p96iq2WO0fGxs0Ytnz8EGlZf7xhYP+qqgU/TmTbnnQKkbUCpcMJYzu/NXNkJ PrhDtXUgRFatNw5exfbNhDstkTBQu+c+2tT/7ofE= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Ben Wolsieffer , Stefan Wahren Subject: [PATCH 4.19 125/139] staging: vchiq_arm: fix compat VCHIQ_IOC_AWAIT_COMPLETION Date: Tue, 4 Dec 2018 11:50:06 +0100 Message-Id: <20181204103655.861088088@linuxfoundation.org> X-Mailer: git-send-email 2.19.2 In-Reply-To: <20181204103649.950154335@linuxfoundation.org> References: <20181204103649.950154335@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review X-Patchwork-Hint: ignore MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.19-stable review patch. If anyone has any objections, please let me know. ------------------ From: Ben Wolsieffer commit 5a96b2d38dc054c0bbcbcd585b116566cbd877fe upstream. The compatibility ioctl wrapper for VCHIQ_IOC_AWAIT_COMPLETION assumes that the native ioctl always uses a message buffer and decrements msgbufcount. Certain message types do not use a message buffer and in this case msgbufcount is not decremented, and completion->header for the message is NULL. Because the wrapper unconditionally decrements msgbufcount, the calling process may assume that a message buffer has been used even when it has not. This results in a memory leak in the userspace code that interfaces with this driver. When msgbufcount is decremented, the userspace code assumes that the buffer can be freed though the reference in completion->header, which cannot happen when the reference is NULL. This patch causes the wrapper to only decrement msgbufcount when the native ioctl decrements it. Note that we cannot simply copy the native ioctl's value of msgbufcount, because the wrapper only retrieves messages from the native ioctl one at a time, while userspace may request multiple messages. See https://github.com/raspberrypi/linux/pull/2703 for more discussion of this patch. Fixes: 5569a1260933 ("staging: vchiq_arm: Add compatibility wrappers for ioctls") Signed-off-by: Ben Wolsieffer Acked-by: Stefan Wahren Cc: stable Signed-off-by: Greg Kroah-Hartman --- drivers/staging/vc04_services/interface/vchiq_arm/vchiq_arm.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) --- a/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_arm.c +++ b/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_arm.c @@ -1787,6 +1787,7 @@ vchiq_compat_ioctl_await_completion(stru struct vchiq_await_completion32 args32; struct vchiq_completion_data32 completion32; unsigned int *msgbufcount32; + unsigned int msgbufcount_native; compat_uptr_t msgbuf32; void *msgbuf; void **msgbufptr; @@ -1898,7 +1899,11 @@ vchiq_compat_ioctl_await_completion(stru sizeof(completion32))) return -EFAULT; - args32.msgbufcount--; + if (get_user(msgbufcount_native, &args->msgbufcount)) + return -EFAULT; + + if (!msgbufcount_native) + args32.msgbufcount--; msgbufcount32 = &((struct vchiq_await_completion32 __user *)arg)->msgbufcount;