From 1e8f80371d4ed5a702782df84bfc749aae19c1a8 Mon Sep 17 00:00:00 2001
From: yuejianjun <yuejianjun1@hisilicon.com>
Date: Tue, 30 Aug 2022 20:31:37 +0800
Subject: [PATCH] Fix vulnerabilities of mmz

Signed-off-by: yuejianjun <yuejianjun1@hisilicon.com>
Change-Id: Ia4d7b98771b080b6e234f59894a6bd912520f289
---
 sdk_linux/soc/src/osal/include/osal_mmz.h      |  4 ++--
 sdk_linux/soc/src/osal/linux/mmz/mmz_userdev.c | 18 ++++++++++++------
 2 files changed, 14 insertions(+), 8 deletions(-)

diff --git a/sdk_linux/soc/src/osal/include/osal_mmz.h b/sdk_linux/soc/src/osal/include/osal_mmz.h
index b7e4742..ebfa798 100644
--- a/sdk_linux/soc/src/osal/include/osal_mmz.h
+++ b/sdk_linux/soc/src/osal/include/osal_mmz.h
@@ -47,7 +47,7 @@ struct hil_media_memory_zone {
 };
 typedef struct hil_media_memory_zone hil_mmz_t;
 
-#define HIL_MMZ_FMT_S              "PHYS(0x%08lX, 0x%08lX), GFP=%lu, nBYTES=%luKB,    NAME=\"%s\""
+#define HIL_MMZ_FMT_S              "PHYS(0x%08pK, 0x%08pK), GFP=%lu, nBYTES=%luKB,    NAME=\"%s\""
 #define hil_mmz_fmt_arg(p) (p)->phys_start, (p)->phys_start + (p)->nbytes - 1, (p)->gfp, (p)->nbytes / SZ_1K, (p)->name
 
 struct hil_media_memory_block {
@@ -81,7 +81,7 @@ typedef struct hil_media_memory_block hil_mmb_t;
 #define HIL_MMB_MAP2KERN_CACHED    (1 << 1)
 #define HIL_MMB_RELEASED           (1 << 2)
 
-#define HIL_MMB_FMT_S              "phys(0x%08lX, 0x%08lX), kvirt=0x%08lX, flags=0x%08lX, length=%luKB,    name=\"%s\""
+#define HIL_MMB_FMT_S              "phys(0x%08pK, 0x%08pK), kvirt=0x%08pK, flags=0x%08pK, length=%luKB,    name=\"%s\""
 #define hil_mmb_fmt_arg(p) \
     (p)->phys_addr, mmz_grain_align((p)->phys_addr + (p)->length) - 1, \
     (unsigned long)(uintptr_t)((p)->kvirt), (p)->flags, (p)->length / SZ_1K, (p)->name
diff --git a/sdk_linux/soc/src/osal/linux/mmz/mmz_userdev.c b/sdk_linux/soc/src/osal/linux/mmz/mmz_userdev.c
index 415bef1..1fac751 100644
--- a/sdk_linux/soc/src/osal/linux/mmz/mmz_userdev.c
+++ b/sdk_linux/soc/src/osal/linux/mmz/mmz_userdev.c
@@ -888,6 +888,7 @@ int mmz_userdev_mmap(struct file *file, struct vm_area_struct *vma)
     struct mmb_info *p = NULL;
     struct mmz_userdev_info *pmu = file->private_data;
     unsigned long offset = vma->vm_pgoff << PAGE_SHIFT;
+    unsigned long size = vma->vm_end - vma->vm_start;
     hil_mmb_t *mmb = NULL;
     int mmb_cached = 0;
 
@@ -897,13 +898,15 @@ int mmz_userdev_mmap(struct file *file, struct vm_area_struct *vma)
         mmb = hil_mmb_getby_phys_2(offset, &mmb_offset);
         if (mmb == NULL) {
             /* Allow mmap MMZ allocated by other core. */
-            if (hil_map_mmz_check_phys(offset, vma->vm_end - vma->vm_start)) {
+            if (hil_map_mmz_check_phys(offset, size)) {
                 return -EPERM;
             }
         } else {
             mmb_cached = mmb->flags & HIL_MMB_MAP2KERN_CACHED;
         }
     } else {
+        mmb = p->mmb;
+
         if (p->mapped != NULL) {
             if (p->map_cached) {
                 error_mmz("mmb(0x%08lX) have been mapped already and cache_type is %u?!\n", offset, p->map_cached);
@@ -913,6 +916,11 @@ int mmz_userdev_mmap(struct file *file, struct vm_area_struct *vma)
         mmb_cached = p->map_cached;
     }
 
+    if (mmb != NULL && mmb->length - (offset - mmb->phys_addr) < size) {
+        error_mmz("mmap failed for oversize %08lX\n", size);
+        return -EINVAL;
+    }
+
     if (file->f_flags & O_SYNC) {
 #ifdef CONFIG_64BIT
         vma->vm_page_prot = __pgprot(pgprot_val(vma->vm_page_prot)
@@ -941,7 +949,6 @@ int mmz_userdev_mmap(struct file *file, struct vm_area_struct *vma)
     if (pfn_valid(vma->vm_pgoff)) {
         unsigned long start = vma->vm_start;
         unsigned long pfn = vma->vm_pgoff;
-        size_t size = vma->vm_end - vma->vm_start;
 
         while (size) {
             if (pfn_valid(pfn)) {
@@ -962,7 +969,6 @@ int mmz_userdev_mmap(struct file *file, struct vm_area_struct *vma)
             pfn++;
         }
     } else {
-        size_t size = vma->vm_end - vma->vm_start;
         if (size == 0) {
             return -EPERM;
         }
@@ -990,7 +996,7 @@ static int mmz_userdev_release(struct inode *inode, struct file *file)
 
     osal_unused(inode);
     list_for_each_entry_safe(p, n, &pmu->list, list) {
-        error_mmz("MMB LEAK(pid=%d): 0x%lX, %lu bytes, '%s'\n",
+        error_mmz("MMB LEAK(pid=%d): 0x%pK, %lu bytes, '%s'\n",
               pmu->pid, hil_mmb_phys(p->mmb),
               hil_mmb_length(p->mmb),
               hil_mmb_name(p->mmb));
@@ -1001,10 +1007,10 @@ static int mmz_userdev_release(struct inode *inode, struct file *file)
          */
         if (p->mapped != NULL) {
 #if defined(KERNEL_BIT_64) && defined(USER_BIT_32)
-            warning("mmb<0x%llx> mapped to userspace 0x%pK will be unmapped!\n",
+            warning("mmb<0x%pK> mapped to userspace 0x%pK will be unmapped!\n",
                     p->phys_addr, p->mapped);
 #else
-            warning("mmb<0x%lx> mapped to userspace 0x%pK will be unmapped!\n",
+            warning("mmb<0x%pK> mapped to userspace 0x%pK will be unmapped!\n",
                     p->phys_addr, p->mapped);
 #endif
         }
-- 
Gitee