[PATCH] staging: vchiq_arm: fix compat VCHIQ_IOC_AWAIT_COMPLETION

[PATCH] staging: vchiq_arm: fix compat VCHIQ_IOC_AWAIT_COMPLETION

[Ben Wolsieffer]

The compatibility ioctl wrapper for VCHIQ_IOC_AWAIT_COMPLETION assumes that
the native ioctl always uses a message buffer and decrements msgbufcount.
Certain message types do not use a message buffer and in this case
msgbufcount is not decremented, and completion->header for the message is
NULL. Because the wrapper unconditionally decrements msgbufcount, the
calling process may assume that a message buffer has been used even when
it has not.

This results in a memory leak in the userspace code that interfaces with
this driver. When msgbufcount is decremented, the userspace code assumes
that the buffer can be freed though the reference in completion->header,
which cannot happen when the reference is NULL.

This patch causes the wrapper to only decrement msgbufcount when the
native ioctl decrements it. Note that we cannot simply copy the native
ioctl's value of msgbufcount, because the wrapper only retrieves messages
from the native ioctl one at a time, while userspace may request multiple
messages.

Fixes: 5569a12 ("staging: vchiq_arm: Add compatibility wrappers for ioctls")

Signed-off-by: Ben Wolsieffer <benwolsieffer@gmail.com>
---
 .../staging/vc04_services/interface/vchiq_arm/vchiq_arm.c  | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_arm.c b/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_arm.c
index d67987fbf25e..8ff0e7e860f3 100644
--- a/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_arm.c
+++ b/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_arm.c
@@ -1461,6 +1461,7 @@ vchiq_compat_ioctl_await_completion(struct file *file,
 	struct vchiq_await_completion32 args32;
 	struct vchiq_completion_data32 completion32;
 	unsigned int *msgbufcount32;
+	unsigned int msgbufcount_native;
 	compat_uptr_t msgbuf32;
 	void *msgbuf;
 	void **msgbufptr;
@@ -1572,7 +1573,11 @@ vchiq_compat_ioctl_await_completion(struct file *file,
 			 sizeof(completion32)))
 		return -EFAULT;
 
-	args32.msgbufcount--;
+	if (get_user(msgbufcount_native, &args->msgbufcount))
+		return -EFAULT;
+
+	if (!msgbufcount_native)
+		args32.msgbufcount--;
 
 	msgbufcount32 =
 		&((struct vchiq_await_completion32 __user *)arg)->msgbufcount;
-- 
2.19.1

[PATCH] staging: vchiq_arm: fix compat VCHIQ_IOC_AWAIT_COMPLETION

[Stefan Wahren]

Hi Ben,

> Ben Wolsieffer <benwolsieffer@gmail.com> hat am 3. November 2018 um 23:30 geschrieben:
> 
> 
> The compatibility ioctl wrapper for VCHIQ_IOC_AWAIT_COMPLETION assumes that
> the native ioctl always uses a message buffer and decrements msgbufcount.
> Certain message types do not use a message buffer and in this case
> msgbufcount is not decremented, and completion->header for the message is
> NULL. Because the wrapper unconditionally decrements msgbufcount, the
> calling process may assume that a message buffer has been used even when
> it has not.
> 
> This results in a memory leak in the userspace code that interfaces with
> this driver. When msgbufcount is decremented, the userspace code assumes
> that the buffer can be freed though the reference in completion->header,
> which cannot happen when the reference is NULL.
> 
> This patch causes the wrapper to only decrement msgbufcount when the
> native ioctl decrements it. Note that we cannot simply copy the native
> ioctl's value of msgbufcount, because the wrapper only retrieves messages
> from the native ioctl one at a time, while userspace may request multiple
> messages.
> 
> Fixes: 5569a12 ("staging: vchiq_arm: Add compatibility wrappers for ioctls")
> 
> Signed-off-by: Ben Wolsieffer <benwolsieffer@gmail.com>

thanks for sending this patch. Unfortunately you missed some necessary recipients from scripts/get_maintainters.pl:

Greg Kroah-Hartman <gregkh@linuxfoundation.org>
devel at driverdev.osuosl.org

Btw please add a link to your pull request into the commit log to provide more background info:

Link: https://github.com/raspberrypi/linux/pull/2703

Thanks
Stefan

[PATCH v2] staging: vchiq_arm: fix compat VCHIQ_IOC_AWAIT_COMPLETION

[Ben Wolsieffer]

The compatibility ioctl wrapper for VCHIQ_IOC_AWAIT_COMPLETION assumes that
the native ioctl always uses a message buffer and decrements msgbufcount.
Certain message types do not use a message buffer and in this case
msgbufcount is not decremented, and completion->header for the message is
NULL. Because the wrapper unconditionally decrements msgbufcount, the
calling process may assume that a message buffer has been used even when
it has not.

This results in a memory leak in the userspace code that interfaces with
this driver. When msgbufcount is decremented, the userspace code assumes
that the buffer can be freed though the reference in completion->header,
which cannot happen when the reference is NULL.

This patch causes the wrapper to only decrement msgbufcount when the
native ioctl decrements it. Note that we cannot simply copy the native
ioctl's value of msgbufcount, because the wrapper only retrieves messages
from the native ioctl one at a time, while userspace may request multiple
messages.

See https://github.com/raspberrypi/linux/pull/2703 for more discussion of
this patch.

Fixes: 5569a12 ("staging: vchiq_arm: Add compatibility wrappers for ioctls")

Signed-off-by: Ben Wolsieffer <benwolsieffer@gmail.com>
---

I added the missing recipients and a link to the GitHub PR in the commit
message.

 .../staging/vc04_services/interface/vchiq_arm/vchiq_arm.c  | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_arm.c b/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_arm.c
index d67987fbf25e..8ff0e7e860f3 100644
--- a/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_arm.c
+++ b/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_arm.c
@@ -1461,6 +1461,7 @@ vchiq_compat_ioctl_await_completion(struct file *file,
 	struct vchiq_await_completion32 args32;
 	struct vchiq_completion_data32 completion32;
 	unsigned int *msgbufcount32;
+	unsigned int msgbufcount_native;
 	compat_uptr_t msgbuf32;
 	void *msgbuf;
 	void **msgbufptr;
@@ -1572,7 +1573,11 @@ vchiq_compat_ioctl_await_completion(struct file *file,
 			 sizeof(completion32)))
 		return -EFAULT;
 
-	args32.msgbufcount--;
+	if (get_user(msgbufcount_native, &args->msgbufcount))
+		return -EFAULT;
+
+	if (!msgbufcount_native)
+		args32.msgbufcount--;
 
 	msgbufcount32 =
 		&((struct vchiq_await_completion32 __user *)arg)->msgbufcount;
-- 
2.19.1

[PATCH v2] staging: vchiq_arm: fix compat VCHIQ_IOC_AWAIT_COMPLETION

[Stefan Wahren]

> Ben Wolsieffer <benwolsieffer@gmail.com> hat am 4. November 2018 um 00:32 geschrieben:
> 
> 
> The compatibility ioctl wrapper for VCHIQ_IOC_AWAIT_COMPLETION assumes that
> the native ioctl always uses a message buffer and decrements msgbufcount.
> Certain message types do not use a message buffer and in this case
> msgbufcount is not decremented, and completion->header for the message is
> NULL. Because the wrapper unconditionally decrements msgbufcount, the
> calling process may assume that a message buffer has been used even when
> it has not.
> 
> This results in a memory leak in the userspace code that interfaces with
> this driver. When msgbufcount is decremented, the userspace code assumes
> that the buffer can be freed though the reference in completion->header,
> which cannot happen when the reference is NULL.
> 
> This patch causes the wrapper to only decrement msgbufcount when the
> native ioctl decrements it. Note that we cannot simply copy the native
> ioctl's value of msgbufcount, because the wrapper only retrieves messages
> from the native ioctl one at a time, while userspace may request multiple
> messages.
> 
> See https://github.com/raspberrypi/linux/pull/2703 for more discussion of
> this patch.
> 
> Fixes: 5569a12 ("staging: vchiq_arm: Add compatibility wrappers for ioctls")
> 
> Signed-off-by: Ben Wolsieffer <benwolsieffer@gmail.com>

Acked-by: Stefan Wahren <stefan.wahren@i2se.com>