!1242 fs_epoll竞争漏洞修复

Merge pull request !1242 from 石子怡/master
update fs/vfs/epoll/fs_epoll.c.
2024-10-15 14:09:01 +00:00 · 2024-10-15 08:15:43 +00:00 · 2024-10-15 07:53:37 +00:00 · 2024-10-15 07:47:13 +00:00 · 2024-10-12 12:07:26 +00:00 · 2024-10-12 18:29:50 +08:00
8 changed files with 41 additions and 16 deletions
--- a/drivers/char/mem/src/mem.c
+++ b/drivers/char/mem/src/mem.c
@ -61,7 +61,7 @@ static ssize_t MemMap(struct file *filep, LosVmMapRegion *region)
    VADDR_T vaddr = region->range.base;
    LosVmSpace *space = LOS_SpaceGet(vaddr);

-    if ((paddr >= SYS_MEM_BASE) && (paddr < SYS_MEM_END)) {
+    if (((paddr + size) >= SYS_MEM_BASE) && (paddr < SYS_MEM_END)) {
        return -EINVAL;
    }

--- a/fs/vfs/epoll/fs_epoll.c
+++ b/fs/vfs/epoll/fs_epoll.c
@ -220,14 +220,18 @@ int epoll_close(int epfd)
 {
    struct epoll_head *epHead = NULL;

+    (VOID)pthread_mutex_lock(&g_epollMutex);
    epHead = EpollGetDataBuff(epfd);
    if (epHead == NULL) {
+        (VOID)pthread_mutex_unlock(&g_epollMutex);
        set_errno(EBADF);
        return -1;
    }

    DoEpollClose(epHead);
-    return EpollFreeSysFd(epfd);
+    int ret = EpollFreeSysFd(epfd);
+    (VOID)pthread_mutex_unlock(&g_epollMutex);
+    return ret;
 }

 int epoll_ctl(int epfd, int op, int fd, struct epoll_event *ev)
@ -236,15 +240,16 @@ int epoll_ctl(int epfd, int op, int fd, struct epoll_event *ev)
    int i;
    int ret = -1;

+    (VOID)pthread_mutex_lock(&g_epollMutex);
    epHead = EpollGetDataBuff(epfd);
    if (epHead == NULL) {
        set_errno(EBADF);
-        return ret;
+        goto OUT_RELEASE;
    }

    if (ev == NULL) {
        set_errno(EINVAL);
-        return -1;
+        goto OUT_RELEASE;
    }

    switch (op) {
@ -252,18 +257,19 @@ int epoll_ctl(int epfd, int op, int fd, struct epoll_event *ev)
            ret = CheckFdExist(epHead, fd);
            if (ret == -1) {
                set_errno(EEXIST);
-                return -1;
+                goto OUT_RELEASE;
            }

            if (epHead->nodeCount == EPOLL_DEFAULT_SIZE) {
                set_errno(ENOMEM);
-                return -1;
+                goto OUT_RELEASE;
            }

            epHead->evs[epHead->nodeCount].events = ev->events | POLLERR | POLLHUP;
            epHead->evs[epHead->nodeCount].data.fd = fd;
            epHead->nodeCount++;
-            return 0;
+            ret = 0;
+            break;
        case EPOLL_CTL_DEL:
            for (i = 0; i < epHead->nodeCount; i++) {
                if (epHead->evs[i].data.fd != fd) {
@ -275,23 +281,29 @@ int epoll_ctl(int epfd, int op, int fd, struct epoll_event *ev)
                              epHead->nodeCount - i);
                }
                epHead->nodeCount--;
-                return 0;
+                ret = 0;
+                goto OUT_RELEASE;
            }
            set_errno(ENOENT);
-            return -1;
+            break;
        case EPOLL_CTL_MOD:
            for (i = 0; i < epHead->nodeCount; i++) {
                if (epHead->evs[i].data.fd == fd) {
                    epHead->evs[i].events = ev->events | POLLERR | POLLHUP;
-                    return 0;
+                    ret = 0;
+                    goto OUT_RELEASE;
                }
            }
            set_errno(ENOENT);
-            return -1;
+            break;
        default:
            set_errno(EINVAL);
-            return -1;
+            break;
    }
+
+OUT_RELEASE:
+    (VOID)pthread_mutex_unlock(&g_epollMutex);
+    return ret;
 }

 int epoll_wait(int epfd, FAR struct epoll_event *evs, int maxevents, int timeout)
--- a/kernel/base/include/los_vm_map.h
+++ b/kernel/base/include/los_vm_map.h
@ -157,7 +157,8 @@ typedef struct VmSpace {
 #define     VM_MAP_REGION_FLAG_SHM                  (1<<16)
 #define     VM_MAP_REGION_FLAG_FIXED                (1<<17)
 #define     VM_MAP_REGION_FLAG_FIXED_NOREPLACE      (1<<18)
-#define     VM_MAP_REGION_FLAG_INVALID              (1<<19) /* indicates that flags are not specified */
+#define     VM_MAP_REGION_FLAG_LITEIPC              (1<<19)
+#define     VM_MAP_REGION_FLAG_INVALID              (1<<20) /* indicates that flags are not specified */

 STATIC INLINE UINT32 OsCvtProtFlagsToRegionFlags(unsigned long prot, unsigned long flags)
 {
--- a/kernel/base/vm/los_vm_dump.c
+++ b/kernel/base/vm/los_vm_dump.c
@ -76,6 +76,8 @@ const CHAR *OsGetRegionNameOrFilePath(LosVmMapRegion *region)
        return "MMAP";
    } else if (region->regionFlags & VM_MAP_REGION_FLAG_SHM) {
        return "SHM";
+    } else if (region->regionFlags & VM_MAP_REGION_FLAG_LITEIPC) {
+        return "LITEIPC";
    } else {
        return "";
    }
--- a/kernel/base/vm/los_vm_syscall.c
+++ b/kernel/base/vm/los_vm_syscall.c
@ -273,6 +273,8 @@ STATIC UINT32 OsInheritOldRegionName(UINT32 oldRegionFlags)
        vmFlags |= VM_MAP_REGION_FLAG_MMAP;
    } else if (oldRegionFlags & VM_MAP_REGION_FLAG_SHM) {
        vmFlags |= VM_MAP_REGION_FLAG_SHM;
+    } else if (oldRegionFlags & VM_MAP_REGION_FLAG_LITEIPC) {
+        vmFlags |= VM_MAP_REGION_FLAG_LITEIPC;
    }

    return vmFlags;
@ -298,7 +300,9 @@ INT32 LOS_DoMprotect(VADDR_T vaddr, size_t len, unsigned long prot)
        goto OUT_MPROTECT;
    }

-    if ((region->regionFlags & VM_MAP_REGION_FLAG_VDSO) || (region->regionFlags & VM_MAP_REGION_FLAG_HEAP)) {
+    if ((region->regionFlags & VM_MAP_REGION_FLAG_VDSO) ||
+        (region->regionFlags & VM_MAP_REGION_FLAG_HEAP) ||
+        (region->regionFlags & VM_MAP_REGION_FLAG_LITEIPC)) {
        ret = -EPERM;
        goto OUT_MPROTECT;
    }
--- a/kernel/base/vm/shm.c
+++ b/kernel/base/vm/shm.c
@ -689,6 +689,9 @@ INT32 ShmCtl(INT32 shmid, INT32 cmd, struct shmid_ds *buf)
                                    (shm_perm.mode & ACCESSPERMS);
            seg->ds.shm_ctime = time(NULL);
 #ifdef LOSCFG_SHELL
+            if (OsProcessIDUserCheckInvalid(shm_perm.uid)) {
+                break;
+            }
            (VOID)memcpy_s(seg->ownerName, OS_PCB_NAME_LEN, OS_PCB_FROM_PID(shm_perm.uid)->processName,
                           OS_PCB_NAME_LEN);
 #endif
--- a/kernel/extended/hidumper/los_hidumper.c
+++ b/kernel/extended/hidumper/los_hidumper.c
@ -278,7 +278,6 @@ static void DumpFaultLog(void)

 static void DumpMemData(struct MemDumpParam *param)
 {
-    PRINTK("\nDumpType: %d\n", param->type);
    PRINTK("Unsupported now!\n");
 }

--- a/kernel/extended/liteipc/hm_liteipc.c
+++ b/kernel/extended/liteipc/hm_liteipc.c
@ -239,6 +239,7 @@ LITE_OS_SEC_TEXT STATIC int LiteIpcMmap(struct file *filep, LosVmMapRegion *regi
        goto ERROR_MAP_OUT;
    }
    ipcInfo->pool.poolSize = region->range.size;
+    region->regionFlags |= VM_MAP_REGION_FLAG_LITEIPC;
    return 0;
 ERROR_MAP_OUT:
    LOS_VFree(ipcInfo->pool.kvaddr);
@ -757,7 +758,10 @@ LITE_OS_SEC_TEXT STATIC UINT32 HandlePtr(LosProcessCB *pcb, SpecialObj *obj, BOO
        obj->content.ptr.buff = (VOID *)GetIpcUserAddr(pcb, (INTPTR)buf);
        EnableIpcNodeFreeByUser(pcb, (VOID *)buf);
    } else {
-        (VOID)LiteIpcNodeFree(pcb, (VOID *)GetIpcKernelAddr(pcb, (INTPTR)obj->content.ptr.buff));
+        buf = (VOID *)GetIpcKernelAddr(pcb, (INTPTR)obj->content.ptr.buff);
+        if (IsIpcNode(pcb, buf) == TRUE) {
+            (VOID)LiteIpcNodeFree(pcb, buf);
+        }
    }
    return LOS_OK;
 }
Author	SHA1	Message	Date
openharmony_ci	0d1635757f	!1242 fs_epoll竞争漏洞修复 Merge pull request !1242 from 石子怡/master	2024-10-15 14:09:01 +00:00
石子怡	c099376d69	update fs/vfs/epoll/fs_epoll.c. Signed-off-by: 石子怡 <z15319797139@163.com>	2024-10-15 08:15:43 +00:00
石子怡	63f261d239	update fs/vfs/epoll/fs_epoll.c. Signed-off-by: 石子怡 <z15319797139@163.com>	2024-10-15 07:53:37 +00:00
石子怡	02abd34ad2	update fs/vfs/epoll/fs_epoll.c. Signed-off-by: 石子怡 <z15319797139@163.com>	2024-10-15 07:47:13 +00:00
openharmony_ci	20c42a9de5	!1238 shm pid 入参漏洞修复 Merge pull request !1238 from hw_llm/master	2024-10-12 12:07:26 +00:00
hw_llm	14c79fc921	Description: shm pid入参漏洞修复 IssueNo: https://gitee.com/openharmony/kernel_liteos_a/issues/IAWM6R Feature Or Bugfix: Bugfix Binary Source: No Signed-off-by: hw_llm <liu.limin@huawei.com>	2024-10-12 18:29:50 +08:00
openharmony_ci	51428fb84a	!1235 hidumper 漏洞修复 Merge pull request !1235 from hw_llm/master	2024-09-29 14:20:21 +00:00
hw_llm	31da79ec80	Description: hidumper 漏洞修复 IssueNo: https://gitee.com/openharmony/kernel_liteos_a/issues/IAUKD9 Feature Or Bugfix: Bugfix Binary Source: No Signed-off-by: hw_llm <liu.limin@huawei.com>	2024-09-29 17:41:35 +08:00
openharmony_ci	88cfb3de9d	!1232 mem 漏洞修复 Merge pull request !1232 from hw_llm/master	2024-09-29 09:12:37 +00:00
hw_llm	4bb465f9af	Description: mem 漏洞修复 IssueNo: https://gitee.com/openharmony/kernel_liteos_a/issues/IAUJDR Feature Or Bugfix: Bugfix Binary Source: No Signed-off-by: hw_llm <liu.limin@huawei.com>	2024-09-29 16:09:45 +08:00
openharmony_ci	ef7610470c	!1229 liteipc 解决释放后使用问题 Merge pull request !1229 from hw_llm/master	2024-09-24 01:11:34 +00:00
hw_llm	8b57198526	Description: liteipc 解决释放后使用问题 IssueNo: https://gitee.com/openharmony/kernel_liteos_a/issues/IAT2X3 Feature Or Bugfix: Bugfix Binary Source: No Signed-off-by: hw_llm <liu.limin@huawei.com>	2024-09-23 20:01:13 +08:00
openharmony_ci	09bcabfaf6	!1225 VM Map 添加LITEIPC保护 Merge pull request !1225 from hw_llm/master	2024-09-20 09:53:50 +00:00
hw_llm	75af9e28d9	Description: VM Map 添加LiteIPC 保护 IssueNo: https://gitee.com/openharmony/kernel_liteos_a/issues/IASJFR Feature Or Bugfix: Bugfix Binary Source: No Signed-off-by: hw_llm <liu.limin@huawei.com>	2024-09-20 16:42:19 +08:00