From ff6dbd5dff104b4d6d4aeeeafe90493e377474e2 Mon Sep 17 00:00:00 2001
From: Gagan Grover <ggrover@nvidia.com>
Date: Fri, 25 Nov 2016 17:58:44 +0530
Subject: staging: ion: Fix ION subsystem privilege vulnerability

A malicious application can take advantage of the ION kmalloc heap
to create a specific memory chunk size to exercise a rowhammer
attack on the physical hardware.

The fix is designed to disable ION heap type.

CVE-2016-6728: A-30400942

Bug 1823317

Change-Id: I6b6d891a85da0c175f88cc1a3e48875796db80d4
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/1690291
GVS: Gerrit_Virtual_Submit
Reviewed-by: Bibek Basu <bbasu@nvidia.com>
Tested-by: Amulya Yarlagadda <ayarlagadda@nvidia.com>
Reviewed-by: Winnie Hsu <whsu@nvidia.com>
---
 drivers/staging/android/ion/ion_heap.c | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

(limited to 'drivers')

diff --git a/drivers/staging/android/ion/ion_heap.c b/drivers/staging/android/ion/ion_heap.c
index 551fe2e0bc2d..ec1fb7913f4c 100644
--- a/drivers/staging/android/ion/ion_heap.c
+++ b/drivers/staging/android/ion/ion_heap.c
@@ -269,6 +269,8 @@ static int ion_heap_shrink(struct shrinker *shrinker, struct shrink_control *sc)
 {
 	struct ion_heap *heap = container_of(shrinker, struct ion_heap,
 					     shrinker);
+	if (IS_ERR_OR_NULL(heap))
+		return -EINVAL;
 	int total = 0;
 	int freed = 0;
 	int to_scan = sc->nr_to_scan;
@@ -309,8 +311,9 @@ struct ion_heap *ion_heap_create(struct ion_platform_heap *heap_data)
 
 	switch (heap_data->type) {
 	case ION_HEAP_TYPE_SYSTEM_CONTIG:
-		heap = ion_system_contig_heap_create(heap_data);
-		break;
+		pr_err("%s: Heap type is disabled: %d\n", __func__,
+		       heap_data->type);
+		return ERR_PTR(-EINVAL);
 	case ION_HEAP_TYPE_SYSTEM:
 		heap = ion_system_heap_create(heap_data);
 		break;
@@ -343,12 +346,13 @@ struct ion_heap *ion_heap_create(struct ion_platform_heap *heap_data)
 
 void ion_heap_destroy(struct ion_heap *heap)
 {
-	if (!heap)
+	if (IS_ERR_OR_NULL(heap))
 		return;
 
 	switch (heap->type) {
 	case ION_HEAP_TYPE_SYSTEM_CONTIG:
-		ion_system_contig_heap_destroy(heap);
+		pr_err("%s: Heap type is disabled: %d\n", __func__,
+		       heap->type);
 		break;
 	case ION_HEAP_TYPE_SYSTEM:
 		ion_system_heap_destroy(heap);
-- 
cgit v1.2.3