| Message ID | 20240530102032.27179-8-quic_ekangupt@quicinc.com (mailing list archive) |
|---|---|
| State | Superseded, archived |
| Headers | show |
| Series | Add missing features to FastRPC driver | expand |
On Thu, May 30, 2024 at 03:50:25PM +0530, Ekansh Gupta wrote: > Untrusted application with access to only non-secure fastrpc device > node can attach to root_pd or static PDs if it can make the respective > init request. This can cause problems as the untrusted application > can send bad requests to root_pd or static PDs. Add changes to reject > attach to privileged PDs if the request is being made using non-secure > fastrpc device node. > > Fixes: 0871561055e6 ("misc: fastrpc: Add support for audiopd") > Cc: stable <stable@kernel.org> > Signed-off-by: Ekansh Gupta <quic_ekangupt@quicinc.com> > --- > drivers/misc/fastrpc.c | 10 ++++++++++ > 1 file changed, 10 insertions(+) > Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
On 30/05/2024 11:20, Ekansh Gupta wrote: > Untrusted application with access to only non-secure fastrpc device > node can attach to root_pd or static PDs if it can make the respective > init request. This can cause problems as the untrusted application > can send bad requests to root_pd or static PDs. Add changes to reject > attach to privileged PDs if the request is being made using non-secure > fastrpc device node. > > Fixes: 0871561055e6 ("misc: fastrpc: Add support for audiopd") > Cc: stable <stable@kernel.org> > Signed-off-by: Ekansh Gupta <quic_ekangupt@quicinc.com> > --- > drivers/misc/fastrpc.c | 10 ++++++++++ > 1 file changed, 10 insertions(+) > > diff --git a/drivers/misc/fastrpc.c b/drivers/misc/fastrpc.c > index d9d9f889e39e..73fa0e536cf9 100644 > --- a/drivers/misc/fastrpc.c > +++ b/drivers/misc/fastrpc.c > @@ -1344,6 +1344,11 @@ static int fastrpc_init_create_static_process(struct fastrpc_user *fl, > } inbuf; > u32 sc; > > + if (!fl->is_secure_dev) { > + dev_dbg(&fl->cctx->rpdev->dev, "untrusted app trying to attach to privileged DSP PD\n"); > + return -EACCES; > + } Please move these checks to fastrpc_device_ioctl which makes it clear that these are only supported with secure device nodes. I would also prefer this to be documented in the the uapi headers. --srini > + > args = kcalloc(FASTRPC_CREATE_STATIC_PROCESS_NARGS, sizeof(*args), GFP_KERNEL); > if (!args) > return -ENOMEM; > @@ -1769,6 +1774,11 @@ static int fastrpc_init_attach(struct fastrpc_user *fl, int pd) > int tgid = fl->tgid; > u32 sc; > > + if (!fl->is_secure_dev) { > + dev_dbg(&fl->cctx->rpdev->dev, "untrusted app trying to attach to privileged DSP PD\n"); > + return -EACCES; > + } > + > args[0].ptr = (u64)(uintptr_t) &tgid; > args[0].length = sizeof(tgid); > args[0].fd = -1;
diff --git a/drivers/misc/fastrpc.c b/drivers/misc/fastrpc.c index d9d9f889e39e..73fa0e536cf9 100644 --- a/drivers/misc/fastrpc.c +++ b/drivers/misc/fastrpc.c @@ -1344,6 +1344,11 @@ static int fastrpc_init_create_static_process(struct fastrpc_user *fl, } inbuf; u32 sc; + if (!fl->is_secure_dev) { + dev_dbg(&fl->cctx->rpdev->dev, "untrusted app trying to attach to privileged DSP PD\n"); + return -EACCES; + } + args = kcalloc(FASTRPC_CREATE_STATIC_PROCESS_NARGS, sizeof(*args), GFP_KERNEL); if (!args) return -ENOMEM; @@ -1769,6 +1774,11 @@ static int fastrpc_init_attach(struct fastrpc_user *fl, int pd) int tgid = fl->tgid; u32 sc; + if (!fl->is_secure_dev) { + dev_dbg(&fl->cctx->rpdev->dev, "untrusted app trying to attach to privileged DSP PD\n"); + return -EACCES; + } + args[0].ptr = (u64)(uintptr_t) &tgid; args[0].length = sizeof(tgid); args[0].fd = -1;
Untrusted application with access to only non-secure fastrpc device node can attach to root_pd or static PDs if it can make the respective init request. This can cause problems as the untrusted application can send bad requests to root_pd or static PDs. Add changes to reject attach to privileged PDs if the request is being made using non-secure fastrpc device node. Fixes: 0871561055e6 ("misc: fastrpc: Add support for audiopd") Cc: stable <stable@kernel.org> Signed-off-by: Ekansh Gupta <quic_ekangupt@quicinc.com> --- drivers/misc/fastrpc.c | 10 ++++++++++ 1 file changed, 10 insertions(+)