SLC: fix type confusion vulnerability

Check SLC file ops is equal to pt_file_ops. Bug: 245300559 Test: adb shell /data/local/tmp/test_poc Signed-off-by: Nick Chung <nickchung@google.com> Change-Id: I4a4ba91bc384a2a4b75c64cbf2bd0240bec17bc8 (cherry picked from commit d5c273ae9e34ff673476f726d1910067902bfc47)
author: Nick Chung <nickchung@google.com> 2022-10-19 13:41:27 +0800
committer: Nick Chung <nickchung@google.com> 2023-03-06 06:54:19 +0000
commit: f8b79e38bbfac9ecab1b8ce4c3253dc43146e9c5 (patch)
tree: b45701b71c65f43aeb2caea22cceeb309afafa38 /lwis_device_slc.c
parent: 4ef14bc9f7721b963266696527d704104044cd73 (diff)
download: lwis-f8b79e38bbfac9ecab1b8ce4c3253dc43146e9c5.tar.gz
1 files changed, 8 insertions, 1 deletions
diff --git a/lwis_device_slc.c b/lwis_device_slc.c
index dd570c1..5b0dd53 100644
--- a/lwis_device_slc.c
+++ b/lwis_device_slc.c
@@ -216,7 +216,14 @@ int lwis_slc_buffer_free(struct lwis_device *lwis_dev, int fd)
 	if (fp == NULL) {
 		return -EBADF;
 	}
-	slc_pt = fp->private_data;
+
+	if (fp->f_op != &pt_file_ops) {
+		dev_err(lwis_dev->dev, "SLC file ops is not equal to pt_file_ops\n");
+		fput(fp);
+		return -EINVAL;
+	}
+
+	slc_pt = (struct slc_partition *)fp->private_data;
 
 	if (slc_pt->fd != fd) {
 		dev_warn(lwis_dev->dev, "Stale SLC buffer free for fd %d with ptid %d\n", fd,
author	Nick Chung <nickchung@google.com>	2022-10-19 13:41:27 +0800
committer	Nick Chung <nickchung@google.com>	2023-03-06 06:54:19 +0000
commit	f8b79e38bbfac9ecab1b8ce4c3253dc43146e9c5 (patch)
tree	b45701b71c65f43aeb2caea22cceeb309afafa38 /lwis_device_slc.c
parent	4ef14bc9f7721b963266696527d704104044cd73 (diff)
download	lwis-f8b79e38bbfac9ecab1b8ce4c3253dc43146e9c5.tar.gz