diff options
author | Gagan Grover <ggrover@nvidia.com> | 2016-11-25 17:58:44 +0530 |
---|---|---|
committer | Winnie Hsu <whsu@nvidia.com> | 2018-04-19 10:55:47 -0700 |
commit | ff6dbd5dff104b4d6d4aeeeafe90493e377474e2 (patch) | |
tree | b508ad8b61095ba4850f211b634100ee36b5b6c1 /drivers | |
parent | 946ad0dedcd475c32e4c455d21c5c6df12caa6f7 (diff) |
staging: ion: Fix ION subsystem privilege vulnerability
A malicious application can take advantage of the ION kmalloc heap
to create a specific memory chunk size to exercise a rowhammer
attack on the physical hardware.
The fix is designed to disable ION heap type.
CVE-2016-6728: A-30400942
Bug 1823317
Change-Id: I6b6d891a85da0c175f88cc1a3e48875796db80d4
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/1690291
GVS: Gerrit_Virtual_Submit
Reviewed-by: Bibek Basu <bbasu@nvidia.com>
Tested-by: Amulya Yarlagadda <ayarlagadda@nvidia.com>
Reviewed-by: Winnie Hsu <whsu@nvidia.com>
Diffstat (limited to 'drivers')
-rw-r--r-- | drivers/staging/android/ion/ion_heap.c | 12 |
1 files changed, 8 insertions, 4 deletions
diff --git a/drivers/staging/android/ion/ion_heap.c b/drivers/staging/android/ion/ion_heap.c index 551fe2e0bc2d..ec1fb7913f4c 100644 --- a/drivers/staging/android/ion/ion_heap.c +++ b/drivers/staging/android/ion/ion_heap.c @@ -269,6 +269,8 @@ static int ion_heap_shrink(struct shrinker *shrinker, struct shrink_control *sc) { struct ion_heap *heap = container_of(shrinker, struct ion_heap, shrinker); + if (IS_ERR_OR_NULL(heap)) + return -EINVAL; int total = 0; int freed = 0; int to_scan = sc->nr_to_scan; @@ -309,8 +311,9 @@ struct ion_heap *ion_heap_create(struct ion_platform_heap *heap_data) switch (heap_data->type) { case ION_HEAP_TYPE_SYSTEM_CONTIG: - heap = ion_system_contig_heap_create(heap_data); - break; + pr_err("%s: Heap type is disabled: %d\n", __func__, + heap_data->type); + return ERR_PTR(-EINVAL); case ION_HEAP_TYPE_SYSTEM: heap = ion_system_heap_create(heap_data); break; @@ -343,12 +346,13 @@ struct ion_heap *ion_heap_create(struct ion_platform_heap *heap_data) void ion_heap_destroy(struct ion_heap *heap) { - if (!heap) + if (IS_ERR_OR_NULL(heap)) return; switch (heap->type) { case ION_HEAP_TYPE_SYSTEM_CONTIG: - ion_system_contig_heap_destroy(heap); + pr_err("%s: Heap type is disabled: %d\n", __func__, + heap->type); break; case ION_HEAP_TYPE_SYSTEM: ion_system_heap_destroy(heap); |