git.baikalelectronics.ru Git - kernel.git/commit

author	Jann Horn <jannh@google.com>
	Wed, 16 Oct 2019 15:01:18 +0000 (17:01 +0200)
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Thu, 17 Oct 2019 12:58:44 +0000 (05:58 -0700)
commit	24a19aa5fcd3e41bac52445538485d11c0f89255
tree	ff505d460ace78810d7dcf93084d32d2d830d409	tree \| snapshot
parent	1a1521bb50a95f9e476c2109d83bfa47e4706c56	commit \| diff

binder: Don't modify VMA bounds in ->mmap handler

binder_mmap() tries to prevent the creation of overly big binder mappings
by silently truncating the size of the VMA to 4MiB. However, this violates
the API contract of mmap(). If userspace attempts to create a large binder
VMA, and later attempts to unmap that VMA, it will call munmap() on a range
beyond the end of the VMA, which may have been allocated to another VMA in
the meantime. This can lead to userspace memory corruption.

The following sequence of calls leads to a segfault without this commit:

int main(void) {
  int binder_fd = open("/dev/binder", O_RDWR);
  if (binder_fd == -1) err(1, "open binder");
  void *binder_mapping = mmap(NULL, 0x800000UL, PROT_READ, MAP_SHARED,
                              binder_fd, 0);
  if (binder_mapping == MAP_FAILED) err(1, "mmap binder");
  void *data_mapping = mmap(NULL, 0x400000UL, PROT_READ|PROT_WRITE,
                            MAP_PRIVATE|MAP_ANONYMOUS, -1, 0);
  if (data_mapping == MAP_FAILED) err(1, "mmap data");
  munmap(binder_mapping, 0x800000UL);
  *(char*)data_mapping = 1;
  return 0;
}

Cc: stable@vger.kernel.org
Signed-off-by: Jann Horn <jannh@google.com>
Acked-by: Todd Kjos <tkjos@google.com>
Acked-by: Christian Brauner <christian.brauner@ubuntu.com>
Link: https://lore.kernel.org/r/20191016150119.154756-1-jannh@google.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

drivers/android/binder.c		diff \| blob \| history
drivers/android/binder_alloc.c		diff \| blob \| history