rpmsgblk: check if the block device has been removed before calling its ops

it may cause use after free if server has removed block device before calling its operations,such as: server: rm /dev/testrpmsgblk client: ls /dev/testrpmsgblk Signed-off-by: liaoao <liaoao@xiaomi.com>
2023-11-02 15:19:27 +08:00 · 2023-11-02 15:19:27 +08:00 · 4b25a0dfa5
commit 4b25a0dfa5
parent 12d66da892
1 changed files with 50 additions and 0 deletions
--- a/drivers/misc/rpmsgblk_server.c
+++ b/drivers/misc/rpmsgblk_server.c
@ -116,6 +116,16 @@ static int rpmsgblk_open_handler(FAR struct rpmsg_endpoint *ept,
  FAR struct rpmsgblk_server_s *server = ept->priv;
  FAR struct rpmsgblk_open_s *msg = data;

+  /* To check if the block device has been removed by unlink operation. */
+
+#ifndef CONFIG_DISABLE_PSEUDOFS_OPERATIONS
+  if (server->blknode->i_peer == NULL)
+    {
+      msg->header.result = -ENODEV;
+      return rpmsg_send(ept, msg, sizeof(*msg));
+    }
+#endif
+
  if (server->bops->open != NULL)
    {
      msg->header.result = server->bops->open(server->blknode);
@ -143,6 +153,14 @@ static int rpmsgblk_close_handler(FAR struct rpmsg_endpoint *ept,
  FAR struct rpmsgblk_server_s *server = ept->priv;
  FAR struct rpmsgblk_close_s *msg = data;

+#ifndef CONFIG_DISABLE_PSEUDOFS_OPERATIONS
+  if (server->blknode->i_peer == NULL)
+    {
+      msg->header.result = -ENODEV;
+      return rpmsg_send(ept, msg, sizeof(*msg));
+    }
+#endif
+
  if (server->bops->close != NULL)
    {
      msg->header.result = server->bops->close(server->blknode);
@ -175,6 +193,14 @@ static int rpmsgblk_read_handler(FAR struct rpmsg_endpoint *ept,
  size_t nsectors;
  uint32_t space;

+#ifndef CONFIG_DISABLE_PSEUDOFS_OPERATIONS
+  if (server->blknode->i_peer == NULL)
+    {
+      msg->header.result = -ENODEV;
+      return rpmsg_send(ept, msg, sizeof(*msg) - 1);
+    }
+#endif
+
  while (read < msg->nsectors)
    {
      rsp = rpmsg_get_tx_payload_buffer(ept, &space, true);
@ -223,6 +249,14 @@ static int rpmsgblk_write_handler(FAR struct rpmsg_endpoint *ept,
  FAR struct rpmsgblk_write_s *msg = data;
  int ret;

+#ifndef CONFIG_DISABLE_PSEUDOFS_OPERATIONS
+  if (server->blknode->i_peer == NULL)
+    {
+      msg->header.result = -ENODEV;
+      return rpmsg_send(ept, msg, sizeof(*msg) - 1);
+    }
+#endif
+
  ret = server->bops->write(server->blknode, (FAR unsigned char *)msg->buf,
                            msg->startsector, msg->nsectors);
  if (ret <= 0)
@ -254,6 +288,14 @@ static int rpmsgblk_geometry_handler(FAR struct rpmsg_endpoint *ept,
  FAR struct rpmsgblk_server_s *server = ept->priv;
  FAR struct rpmsgblk_geometry_s *msg = data;

+#ifndef CONFIG_DISABLE_PSEUDOFS_OPERATIONS
+  if (server->blknode->i_peer == NULL)
+    {
+      msg->header.result = -ENODEV;
+      return rpmsg_send(ept, msg, len);
+    }
+#endif
+
  DEBUGASSERT(msg->arglen == sizeof(struct geometry));

  msg->header.result = server->bops->geometry(
@ -273,6 +315,14 @@ static int rpmsgblk_ioctl_handler(FAR struct rpmsg_endpoint *ept,
  FAR struct rpmsgblk_server_s *server = ept->priv;
  FAR struct rpmsgblk_ioctl_s *msg = data;

+#ifndef CONFIG_DISABLE_PSEUDOFS_OPERATIONS
+  if (server->blknode->i_peer == NULL)
+    {
+      msg->header.result = -ENODEV;
+      return rpmsg_send(ept, msg, len);
+    }
+#endif
+
  switch (msg->request)
    {
      case MMC_IOC_CMD: