staging: ion: Fix ION subsystem privilege vulnerability
Gagan Grover [Fri, 25 Nov 2016 12:28:44 +0000 (17:28 +0530)]
A malicious application can take advantage of the ION kmalloc heap
to create a specific memory chunk size to exercise a rowhammer
attack on the physical hardware.

The fix is designed to disable ION heap type.

CVE-2016-6728: A-30400942

Bug 1823317

Change-Id: I6b6d891a85da0c175f88cc1a3e48875796db80d4
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/1690291
GVS: Gerrit_Virtual_Submit
Reviewed-by: Bibek Basu <bbasu@nvidia.com>
Tested-by: Amulya Yarlagadda <ayarlagadda@nvidia.com>
Reviewed-by: Winnie Hsu <whsu@nvidia.com>

drivers/staging/android/ion/ion_heap.c

index 551fe2e..ec1fb79 100644 (file)
@@ -269,6 +269,8 @@ static int ion_heap_shrink(struct shrinker *shrinker, struct shrink_control *sc)
 {
        struct ion_heap *heap = container_of(shrinker, struct ion_heap,
                                             shrinker);
+       if (IS_ERR_OR_NULL(heap))
+               return -EINVAL;
        int total = 0;
        int freed = 0;
        int to_scan = sc->nr_to_scan;
@@ -309,8 +311,9 @@ struct ion_heap *ion_heap_create(struct ion_platform_heap *heap_data)
 
        switch (heap_data->type) {
        case ION_HEAP_TYPE_SYSTEM_CONTIG:
-               heap = ion_system_contig_heap_create(heap_data);
-               break;
+               pr_err("%s: Heap type is disabled: %d\n", __func__,
+                      heap_data->type);
+               return ERR_PTR(-EINVAL);
        case ION_HEAP_TYPE_SYSTEM:
                heap = ion_system_heap_create(heap_data);
                break;
@@ -343,12 +346,13 @@ struct ion_heap *ion_heap_create(struct ion_platform_heap *heap_data)
 
 void ion_heap_destroy(struct ion_heap *heap)
 {
-       if (!heap)
+       if (IS_ERR_OR_NULL(heap))
                return;
 
        switch (heap->type) {
        case ION_HEAP_TYPE_SYSTEM_CONTIG:
-               ion_system_contig_heap_destroy(heap);
+               pr_err("%s: Heap type is disabled: %d\n", __func__,
+                      heap->type);
                break;
        case ION_HEAP_TYPE_SYSTEM:
                ion_system_heap_destroy(heap);