!1242 fs_epoll竞争漏洞修复

Merge pull request !1242 from 石子怡/master
update fs/vfs/epoll/fs_epoll.c.
2024-10-15 14:09:01 +00:00 · 2024-10-15 08:15:43 +00:00 · 2024-10-15 07:53:37 +00:00 · 2024-10-15 07:47:13 +00:00 · 2024-10-12 12:07:26 +00:00 · 2024-10-12 18:29:50 +08:00
4 changed files with 27 additions and 13 deletions
--- a/drivers/char/mem/src/mem.c
+++ b/drivers/char/mem/src/mem.c
@ -61,7 +61,7 @@ static ssize_t MemMap(struct file *filep, LosVmMapRegion *region)
    VADDR_T vaddr = region->range.base;
    LosVmSpace *space = LOS_SpaceGet(vaddr);

-    if ((paddr >= SYS_MEM_BASE) && (paddr < SYS_MEM_END)) {
+    if (((paddr + size) >= SYS_MEM_BASE) && (paddr < SYS_MEM_END)) {
        return -EINVAL;
    }

--- a/fs/vfs/epoll/fs_epoll.c
+++ b/fs/vfs/epoll/fs_epoll.c
@ -220,14 +220,18 @@ int epoll_close(int epfd)
 {
    struct epoll_head *epHead = NULL;

+    (VOID)pthread_mutex_lock(&g_epollMutex);
    epHead = EpollGetDataBuff(epfd);
    if (epHead == NULL) {
+        (VOID)pthread_mutex_unlock(&g_epollMutex);
        set_errno(EBADF);
        return -1;
    }

    DoEpollClose(epHead);
-    return EpollFreeSysFd(epfd);
+    int ret = EpollFreeSysFd(epfd);
+    (VOID)pthread_mutex_unlock(&g_epollMutex);
+    return ret;
 }

 int epoll_ctl(int epfd, int op, int fd, struct epoll_event *ev)
@ -236,15 +240,16 @@ int epoll_ctl(int epfd, int op, int fd, struct epoll_event *ev)
    int i;
    int ret = -1;

+    (VOID)pthread_mutex_lock(&g_epollMutex);
    epHead = EpollGetDataBuff(epfd);
    if (epHead == NULL) {
        set_errno(EBADF);
-        return ret;
+        goto OUT_RELEASE;
    }

    if (ev == NULL) {
        set_errno(EINVAL);
-        return -1;
+        goto OUT_RELEASE;
    }

    switch (op) {
@ -252,18 +257,19 @@ int epoll_ctl(int epfd, int op, int fd, struct epoll_event *ev)
            ret = CheckFdExist(epHead, fd);
            if (ret == -1) {
                set_errno(EEXIST);
-                return -1;
+                goto OUT_RELEASE;
            }

            if (epHead->nodeCount == EPOLL_DEFAULT_SIZE) {
                set_errno(ENOMEM);
-                return -1;
+                goto OUT_RELEASE;
            }

            epHead->evs[epHead->nodeCount].events = ev->events | POLLERR | POLLHUP;
            epHead->evs[epHead->nodeCount].data.fd = fd;
            epHead->nodeCount++;
-            return 0;
+            ret = 0;
+            break;
        case EPOLL_CTL_DEL:
            for (i = 0; i < epHead->nodeCount; i++) {
                if (epHead->evs[i].data.fd != fd) {
@ -275,23 +281,29 @@ int epoll_ctl(int epfd, int op, int fd, struct epoll_event *ev)
                              epHead->nodeCount - i);
                }
                epHead->nodeCount--;
-                return 0;
+                ret = 0;
+                goto OUT_RELEASE;
            }
            set_errno(ENOENT);
-            return -1;
+            break;
        case EPOLL_CTL_MOD:
            for (i = 0; i < epHead->nodeCount; i++) {
                if (epHead->evs[i].data.fd == fd) {
                    epHead->evs[i].events = ev->events | POLLERR | POLLHUP;
-                    return 0;
+                    ret = 0;
+                    goto OUT_RELEASE;
                }
            }
            set_errno(ENOENT);
-            return -1;
+            break;
        default:
            set_errno(EINVAL);
-            return -1;
+            break;
    }
+
+OUT_RELEASE:
+    (VOID)pthread_mutex_unlock(&g_epollMutex);
+    return ret;
 }

 int epoll_wait(int epfd, FAR struct epoll_event *evs, int maxevents, int timeout)
--- a/kernel/base/vm/shm.c
+++ b/kernel/base/vm/shm.c
@ -689,6 +689,9 @@ INT32 ShmCtl(INT32 shmid, INT32 cmd, struct shmid_ds *buf)
                                    (shm_perm.mode & ACCESSPERMS);
            seg->ds.shm_ctime = time(NULL);
 #ifdef LOSCFG_SHELL
+            if (OsProcessIDUserCheckInvalid(shm_perm.uid)) {
+                break;
+            }
            (VOID)memcpy_s(seg->ownerName, OS_PCB_NAME_LEN, OS_PCB_FROM_PID(shm_perm.uid)->processName,
                           OS_PCB_NAME_LEN);
 #endif
--- a/kernel/extended/hidumper/los_hidumper.c
+++ b/kernel/extended/hidumper/los_hidumper.c
@ -278,7 +278,6 @@ static void DumpFaultLog(void)

 static void DumpMemData(struct MemDumpParam *param)
 {
-    PRINTK("\nDumpType: %d\n", param->type);
    PRINTK("Unsupported now!\n");
 }
Author	SHA1	Message	Date
openharmony_ci	0d1635757f	!1242 fs_epoll竞争漏洞修复 Merge pull request !1242 from 石子怡/master	2024-10-15 14:09:01 +00:00
石子怡	c099376d69	update fs/vfs/epoll/fs_epoll.c. Signed-off-by: 石子怡 <z15319797139@163.com>	2024-10-15 08:15:43 +00:00
石子怡	63f261d239	update fs/vfs/epoll/fs_epoll.c. Signed-off-by: 石子怡 <z15319797139@163.com>	2024-10-15 07:53:37 +00:00
石子怡	02abd34ad2	update fs/vfs/epoll/fs_epoll.c. Signed-off-by: 石子怡 <z15319797139@163.com>	2024-10-15 07:47:13 +00:00
openharmony_ci	20c42a9de5	!1238 shm pid 入参漏洞修复 Merge pull request !1238 from hw_llm/master	2024-10-12 12:07:26 +00:00
hw_llm	14c79fc921	Description: shm pid入参漏洞修复 IssueNo: https://gitee.com/openharmony/kernel_liteos_a/issues/IAWM6R Feature Or Bugfix: Bugfix Binary Source: No Signed-off-by: hw_llm <liu.limin@huawei.com>	2024-10-12 18:29:50 +08:00
openharmony_ci	51428fb84a	!1235 hidumper 漏洞修复 Merge pull request !1235 from hw_llm/master	2024-09-29 14:20:21 +00:00
hw_llm	31da79ec80	Description: hidumper 漏洞修复 IssueNo: https://gitee.com/openharmony/kernel_liteos_a/issues/IAUKD9 Feature Or Bugfix: Bugfix Binary Source: No Signed-off-by: hw_llm <liu.limin@huawei.com>	2024-09-29 17:41:35 +08:00
openharmony_ci	88cfb3de9d	!1232 mem 漏洞修复 Merge pull request !1232 from hw_llm/master	2024-09-29 09:12:37 +00:00
hw_llm	4bb465f9af	Description: mem 漏洞修复 IssueNo: https://gitee.com/openharmony/kernel_liteos_a/issues/IAUJDR Feature Or Bugfix: Bugfix Binary Source: No Signed-off-by: hw_llm <liu.limin@huawei.com>	2024-09-29 16:09:45 +08:00