video: tegra: nvmap: fix nvmap create handle vulnerability
authorskadamati <skadamati@nvidia.com>
Thu, 15 Dec 2016 11:23:22 +0000 (16:23 +0530)
committerManish Tuteja <mtuteja@nvidia.com>
Wed, 1 Mar 2017 00:36:39 +0000 (16:36 -0800)
commit055313cc4c60fa430f904ac342a97099be269d5d
tree93c4dd09c3b91dd29d0bef021fad3f59ffc22e1b
parent62e74dd064bf0f6c3e785080084431f50f81c2d4
video: tegra: nvmap: fix nvmap create handle vulnerability

Handle the race condition between malicious fd close and
copy_to_user error, which can create use after free condition.
This is fixed by deferring the fd install, which eliminates
the race that leads to use after free condition.
Fixing Google Bug 32160775.

Bug 1835857
Bug 200260161
Bug 1849492
Bug 1825283
CVE-2016-8424 (A-31606947)

Change-Id: I337807e4360661beced8f9e1155c47b66607b8df
Reviewed-on: http://git-master/r/1248391
(cherry picked from commit c26f2a34c189bef2d99740a420b2ab4023d912c0)
Reviewed-on: http://git-master/r/1273324
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1285852
(cherry picked from commit b1513dff2b4bd35d1b400645642bce8dcf3c96c7)
Reviewed-on: http://git-master/r/1299501
(cherry picked from commit 3993b1f51cd24e93b460d24b2659f0c7a6c6cf8a)
Reviewed-on: http://git-master/r/1311422
GVS: Gerrit_Virtual_Submit
Reviewed-by: Vinayak Pane <vpane@nvidia.com>
drivers/video/tegra/nvmap/nvmap_dmabuf.c
drivers/video/tegra/nvmap/nvmap_ioctl.c