From b9530d435e9d473de93e407763e5504df94ee30f Mon Sep 17 00:00:00 2001 From: Hardik Arya Date: Tue, 4 Feb 2020 11:59:53 +0530 Subject: [PATCH] diag: Add protection while accessing diag client map There is a possibility of use-after-free while accessing diag client map table since list can be reallocated due to exceeding max client limit. The patch adds protection while accessing client map list. Change-Id: Ibc33d9d90b7e22394c82265b0fa80a89cc2a3122 Signed-off-by: Hardik Arya --- drivers/char/diag/diagchar_core.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/drivers/char/diag/diagchar_core.c b/drivers/char/diag/diagchar_core.c index d8e28727ae3e..2dd7c0530487 100644 --- a/drivers/char/diag/diagchar_core.c +++ b/drivers/char/diag/diagchar_core.c @@ -1,4 +1,4 @@ -/* Copyright (c) 2008-2019, The Linux Foundation. All rights reserved. +/* Copyright (c) 2008-2021, The Linux Foundation. All rights reserved. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 and @@ -548,6 +548,7 @@ static int diag_remove_client_entry(struct file *file) return -EINVAL; } + mutex_lock(&driver->diagchar_mutex); diagpriv_data = file->private_data; for (i = 0; i < driver->num_clients; i++) if (diagpriv_data && diagpriv_data->pid == @@ -557,11 +558,13 @@ static int diag_remove_client_entry(struct file *file) DIAG_LOG(DIAG_DEBUG_USERSPACE, "pid %d, not present in client map\n", diagpriv_data->pid); + mutex_unlock(&driver->diagchar_mutex); mutex_unlock(&driver->diag_file_mutex); return -EINVAL; } DIAG_LOG(DIAG_DEBUG_USERSPACE, "diag: %s process exit with pid = %d\n", driver->client_map[i].name, diagpriv_data->pid); + mutex_unlock(&driver->diagchar_mutex); /* * clean up any DCI registrations, if this is a DCI client * This will specially help in case of ungraceful exit of any DCI client