misc: fastrpc: Restrict untrusted app to attach to privileged PD

Untrusted application with access to only non-secure fastrpc device
node can attach to root_pd or static PDs if it can make the respective
init request. This can cause problems as the untrusted application
can send bad requests to root_pd or static PDs. Add changes to reject
attach to privileged PDs if the request is being made using non-secure
fastrpc device node.

Fixes: 0871561055e6 ("misc: fastrpc: Add support for audiopd")
Cc: stable <stable@kernel.org>
Signed-off-by: Ekansh Gupta <quic_ekangupt@quicinc.com>
Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
Link: https://lore.kernel.org/r/20240628114501.14310-7-srinivas.kandagatla@linaro.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

diff --git a/drivers/misc/fastrpc.c b/drivers/misc/fastrpc.c
index 5680856c0fb82c9604f1219c480983fcbb607dbd..a7a2bcedb37e44880f7f6e0ca63cb29e9e83312f 100644 (file)
--- a/drivers/misc/fastrpc.c
+++ b/drivers/misc/fastrpc.c
@@ -2087,6 +2087,16 @@ err_invoke:
        return err;
 }
 
+static int is_attach_rejected(struct fastrpc_user *fl)
+{
+       /* Check if the device node is non-secure */
+       if (!fl->is_secure_dev) {
+               dev_dbg(&fl->cctx->rpdev->dev, "untrusted app trying to attach to privileged DSP PD\n");
+               return -EACCES;
+       }
+       return 0;
+}
+
 static long fastrpc_device_ioctl(struct file *file, unsigned int cmd,
                                 unsigned long arg)
 {
@@ -2099,13 +2109,19 @@ static long fastrpc_device_ioctl(struct file *file, unsigned int cmd,
                err = fastrpc_invoke(fl, argp);
                break;
        case FASTRPC_IOCTL_INIT_ATTACH:
-               err = fastrpc_init_attach(fl, ROOT_PD);
+               err = is_attach_rejected(fl);
+               if (!err)
+                       err = fastrpc_init_attach(fl, ROOT_PD);
                break;
        case FASTRPC_IOCTL_INIT_ATTACH_SNS:
-               err = fastrpc_init_attach(fl, SENSORS_PD);
+               err = is_attach_rejected(fl);
+               if (!err)
+                       err = fastrpc_init_attach(fl, SENSORS_PD);
                break;
        case FASTRPC_IOCTL_INIT_CREATE_STATIC:
-               err = fastrpc_init_create_static_process(fl, argp);
+               err = is_attach_rejected(fl);
+               if (!err)
+                       err = fastrpc_init_create_static_process(fl, argp);
                break;
        case FASTRPC_IOCTL_INIT_CREATE:
                err = fastrpc_init_create_process(fl, argp);

diff --git a/include/uapi/misc/fastrpc.h b/include/uapi/misc/fastrpc.h
index f33d914d8f4699eddef9f9910ec2b30440c26e83..91583690bddc5294e926d73b40d201f039474b28 100644 (file)
--- a/include/uapi/misc/fastrpc.h
+++ b/include/uapi/misc/fastrpc.h
@@ -8,11 +8,14 @@
 #define FASTRPC_IOCTL_ALLOC_DMA_BUFF   _IOWR('R', 1, struct fastrpc_alloc_dma_buf)
 #define FASTRPC_IOCTL_FREE_DMA_BUFF    _IOWR('R', 2, __u32)
 #define FASTRPC_IOCTL_INVOKE           _IOWR('R', 3, struct fastrpc_invoke)
+/* This ioctl is only supported with secure device nodes */
 #define FASTRPC_IOCTL_INIT_ATTACH      _IO('R', 4)
 #define FASTRPC_IOCTL_INIT_CREATE      _IOWR('R', 5, struct fastrpc_init_create)
 #define FASTRPC_IOCTL_MMAP             _IOWR('R', 6, struct fastrpc_req_mmap)
 #define FASTRPC_IOCTL_MUNMAP           _IOWR('R', 7, struct fastrpc_req_munmap)
+/* This ioctl is only supported with secure device nodes */
 #define FASTRPC_IOCTL_INIT_ATTACH_SNS  _IO('R', 8)
+/* This ioctl is only supported with secure device nodes */
 #define FASTRPC_IOCTL_INIT_CREATE_STATIC _IOWR('R', 9, struct fastrpc_init_create_static)
 #define FASTRPC_IOCTL_MEM_MAP          _IOWR('R', 10, struct fastrpc_mem_map)
 #define FASTRPC_IOCTL_MEM_UNMAP                _IOWR('R', 11, struct fastrpc_mem_unmap)