diff options
author | Daniel Rosenberg <drosen@google.com> | 2016-12-20 10:05:44 -0800 |
---|---|---|
committer | Patrick Tjin <pattjin@google.com> | 2017-01-18 15:40:48 -0800 |
commit | 4ac98c444c0801e2adee26bec6fc456bab27881a (patch) | |
tree | e621ea1711f45744eff58411c7f7da80ed1380e5 | |
parent | 437ed3156d3a8bba7e33518d23d20be95975c321 (diff) | |
download | x86_64-android-x86_64-fugu-3.10-nougat-mr1.tar.gz |
ANDROID: ion: check for kref overflowandroid-7.1.1_r0.42android-x86_64-fugu-3.10-nougat-mr1
Userspace can cause the kref to handles to increment
arbitrarily high. Ensure it does not overflow.
Signed-off-by: Daniel Rosenberg <drosen@google.com>
Bug: 31992382
Test: See bug for poc
Change-Id: I6bff1df385742b1d836d43180dc87fadcea80782
-rwxr-xr-x | drivers/staging/android/ion/ion.c | 17 |
1 files changed, 13 insertions, 4 deletions
diff --git a/drivers/staging/android/ion/ion.c b/drivers/staging/android/ion/ion.c index a6d6c05a660e..e0f37e9f6ca0 100755 --- a/drivers/staging/android/ion/ion.c +++ b/drivers/staging/android/ion/ion.c @@ -1,5 +1,4 @@ /* - * drivers/gpu/ion/ion.c * * Copyright (C) 2011 Google, Inc. @@ -15,6 +14,7 @@ * */ +#include <linux/atomic.h> #include <linux/device.h> #include <linux/file.h> #include <linux/freezer.h> @@ -388,6 +388,15 @@ static void ion_handle_get(struct ion_handle *handle) kref_get(&handle->ref); } +/* Must hold the client lock */ +static struct ion_handle* ion_handle_get_check_overflow(struct ion_handle *handle) +{ + if (atomic_read(&handle->ref.refcount) + 1 == 0) + return ERR_PTR(-EOVERFLOW); + ion_handle_get(handle); + return handle; +} + static int ion_handle_put_nolock(struct ion_handle *handle) { int ret; @@ -434,9 +443,9 @@ static struct ion_handle *ion_handle_get_by_id_nolock(struct ion_client *client, handle = idr_find(&client->idr, id); if (handle) - ion_handle_get(handle); + return ion_handle_get_check_overflow(handle); - return handle ? handle : ERR_PTR(-EINVAL); + return ERR_PTR(-EINVAL); } struct ion_handle *ion_handle_get_by_id(struct ion_client *client, @@ -1202,7 +1211,7 @@ struct ion_handle *ion_import_dma_buf(struct ion_client *client, int fd) /* if a handle exists for this buffer just take a reference to it */ handle = ion_handle_lookup(client, buffer); if (!IS_ERR(handle)) { - ion_handle_get(handle); + handle = ion_handle_get_check_overflow(handle); mutex_unlock(&client->lock); goto end; } |