diff options
author | Andrei F <luxneb@gmail.com> | 2012-12-19 21:31:19 +0100 |
---|---|---|
committer | codeworkx <codeworkx@cyanogenmod.org> | 2012-12-20 18:47:38 +0100 |
commit | 9c1d0f487d28417858778d094f2eb98eb47ea2f7 (patch) | |
tree | ca96810f25466e2686ac44b5d71892e63c18592c /arch/arm/plat-s5p | |
parent | c3e546ee57369dc2dd340c07868df83380428de0 (diff) | |
download | kernel_samsung_smdk4412-9c1d0f487d28417858778d094f2eb98eb47ea2f7.zip kernel_samsung_smdk4412-9c1d0f487d28417858778d094f2eb98eb47ea2f7.tar.gz kernel_samsung_smdk4412-9c1d0f487d28417858778d094f2eb98eb47ea2f7.tar.bz2 |
exynos-mem: Fix major security hole
This fixes the exynos-mem device security hole. The driver allowed any user
to access all of the device's lowmem through the provided mmap functionality.
We create a small little framework collecting the actual CMA memory blocks
that exist on the device; they are the root cause of the existence of this device
driver. We white-list only the CMA memory spaces as parameters to the mmap
function and deny access to any other memory space requests.
We furthermore just allow access to the "s3c-fimc" memory block as this is
seemingly the only space which upon access denial actually breaks functionality.
Change-Id: I286be4a2546621c66d214c79f480822ecd8138db
Diffstat (limited to 'arch/arm/plat-s5p')
-rw-r--r-- | arch/arm/plat-s5p/reserve_mem.c | 14 |
1 files changed, 13 insertions, 1 deletions
diff --git a/arch/arm/plat-s5p/reserve_mem.c b/arch/arm/plat-s5p/reserve_mem.c index 557938a..32ac973 100644 --- a/arch/arm/plat-s5p/reserve_mem.c +++ b/arch/arm/plat-s5p/reserve_mem.c @@ -22,6 +22,7 @@ #ifdef CONFIG_CMA #include <linux/cma.h> +#include <linux/exynos_mem.h> void __init s5p_cma_region_reserve(struct cma_region *regions_normal, struct cma_region *regions_secure, size_t align_secure, const char *map) @@ -69,6 +70,9 @@ void __init s5p_cma_region_reserve(struct cma_region *regions_normal, pr_debug("S5P/CMA: " "Reserved 0x%08x/0x%08x for '%s'\n", reg->start, reg->size, reg->name); + + cma_region_descriptor_add(reg->name, reg->start, reg->size); + paddr = reg->start; } else { paddr = memblock_find_in_range(0, @@ -88,6 +92,8 @@ void __init s5p_cma_region_reserve(struct cma_region *regions_normal, pr_info("S5P/CMA: Reserved 0x%08x/0x%08x for '%s'\n", reg->start, reg->size, reg->name); + + cma_region_descriptor_add(reg->name, reg->start, reg->size); } else { pr_err("S5P/CMA: No free space in memory for '%s'\n", reg->name); @@ -155,6 +161,9 @@ void __init s5p_cma_region_reserve(struct cma_region *regions_normal, } if (paddr_last) { + pr_info("S5P/CMA: " + "Reserved 0x%08x/0x%08x for 'secure_region'\n", + paddr_last, size_secure); #ifndef CONFIG_DMA_CMA while (memblock_reserve(paddr_last, size_secure)) paddr_last -= align_secure; @@ -165,7 +174,6 @@ void __init s5p_cma_region_reserve(struct cma_region *regions_normal, paddr_last -= align_secure; } #endif - do { #ifndef CONFIG_DMA_CMA reg->start = paddr_last; @@ -191,6 +199,7 @@ void __init s5p_cma_region_reserve(struct cma_region *regions_normal, if (memblock_reserve(reg->start, reg->size)) panic("memblock\n"); + #endif } else { reg->start = paddr_last; @@ -201,6 +210,9 @@ void __init s5p_cma_region_reserve(struct cma_region *regions_normal, pr_info("S5P/CMA: " "Reserved 0x%08x/0x%08x for '%s'\n", reg->start, reg->size, reg->name); + + cma_region_descriptor_add(reg->name, reg->start, reg->size); + if (cma_early_region_register(reg)) { memblock_free(reg->start, reg->size); pr_err("S5P/CMA: " |