diag: Add protection while accessing diag client map

There is a possibility of use-after-free while accessing diag client map table since list can be reallocated due to exceeding max client limit. The patch adds protection while accessing client map list. Change-Id: Ibc33d9d90b7e22394c82265b0fa80a89cc2a3122 Signed-off-by: Hardik Arya <harya@codeaurora.org>
2020-02-04 11:59:53 +05:30 · 2020-02-04 11:59:53 +05:30 · b9530d435e
commit b9530d435e
parent 912e807881
1 changed files with 4 additions and 1 deletions
--- a/drivers/char/diag/diagchar_core.c
+++ b/drivers/char/diag/diagchar_core.c
@ -1,4 +1,4 @@
-/* Copyright (c) 2008-2019, The Linux Foundation. All rights reserved.
+/* Copyright (c) 2008-2021, The Linux Foundation. All rights reserved.
 *
 * This program is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License version 2 and
@ -548,6 +548,7 @@ static int diag_remove_client_entry(struct file *file)
 		return -EINVAL;
 	}

+	mutex_lock(&driver->diagchar_mutex);
 	diagpriv_data = file->private_data;
 	for (i = 0; i < driver->num_clients; i++)
 		if (diagpriv_data && diagpriv_data->pid ==
@ -557,11 +558,13 @@ static int diag_remove_client_entry(struct file *file)
 		DIAG_LOG(DIAG_DEBUG_USERSPACE,
 			"pid %d, not present in client map\n",
 			diagpriv_data->pid);
+		mutex_unlock(&driver->diagchar_mutex);
 		mutex_unlock(&driver->diag_file_mutex);
 		return -EINVAL;
 	}
 	DIAG_LOG(DIAG_DEBUG_USERSPACE, "diag: %s process exit with pid = %d\n",
 		driver->client_map[i].name, diagpriv_data->pid);
+	mutex_unlock(&driver->diagchar_mutex);
 	/*
 	 * clean up any DCI registrations, if this is a DCI client
 	 * This will specially help in case of ungraceful exit of any DCI client