diff options
author | Nick Chung <nickchung@google.com> | 2022-10-19 13:41:27 +0800 |
---|---|---|
committer | Nick Chung <nickchung@google.com> | 2023-03-06 06:54:19 +0000 |
commit | f8b79e38bbfac9ecab1b8ce4c3253dc43146e9c5 (patch) | |
tree | b45701b71c65f43aeb2caea22cceeb309afafa38 /lwis_device_slc.c | |
parent | 4ef14bc9f7721b963266696527d704104044cd73 (diff) | |
download | lwis-f8b79e38bbfac9ecab1b8ce4c3253dc43146e9c5.tar.gz |
SLC: fix type confusion vulnerability
Check SLC file ops is equal to pt_file_ops.
Bug: 245300559
Test: adb shell /data/local/tmp/test_poc
Signed-off-by: Nick Chung <nickchung@google.com>
Change-Id: I4a4ba91bc384a2a4b75c64cbf2bd0240bec17bc8
(cherry picked from commit d5c273ae9e34ff673476f726d1910067902bfc47)
Diffstat (limited to 'lwis_device_slc.c')
-rw-r--r-- | lwis_device_slc.c | 9 |
1 files changed, 8 insertions, 1 deletions
diff --git a/lwis_device_slc.c b/lwis_device_slc.c index dd570c1..5b0dd53 100644 --- a/lwis_device_slc.c +++ b/lwis_device_slc.c @@ -216,7 +216,14 @@ int lwis_slc_buffer_free(struct lwis_device *lwis_dev, int fd) if (fp == NULL) { return -EBADF; } - slc_pt = fp->private_data; + + if (fp->f_op != &pt_file_ops) { + dev_err(lwis_dev->dev, "SLC file ops is not equal to pt_file_ops\n"); + fput(fp); + return -EINVAL; + } + + slc_pt = (struct slc_partition *)fp->private_data; if (slc_pt->fd != fd) { dev_warn(lwis_dev->dev, "Stale SLC buffer free for fd %d with ptid %d\n", fd, |