Received: by 2002:ac0:a581:0:0:0:0:0 with SMTP id m1-v6csp37615imm;
        Tue, 19 Jun 2018 15:26:50 -0700 (PDT)
X-Google-Smtp-Source: ADUXVKKJRodsoD0F868dTeNOtUhJlNwDB2jxWr/OLnD9JgWvuvB7UiYckzkzoCq54OhTS+rp9WDS
X-Received: by 2002:a17:902:4d:: with SMTP id 71-v6mr20840359pla.317.1529447210424;
        Tue, 19 Jun 2018 15:26:50 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1529447210; cv=none;
        d=google.com; s=arc-20160816;
        b=NIsG+cCFq9vBaYqqPJ/TsYHfQ51w8zJZcaaWN04+fMXzLH2r2oDjETyBayZbNTHCXA
         3r5SrAvaJ6bBhVTnfS8BWKny+/c2Y06VBvEN19Ce06kUOAkPiVyUOPuV2CR1eCgbjP2K
         tKgH6qpXznZAI3RqgHFdM3tLwOlQ7mqXFa3qNrLFcFG6PQSNh7gDC9RxdgCGtJCC2Aei
         OfrN3yt9EPJgRy8hab3XnyGkTPwh+V9fnAScT2FEsUpsqY8QChsH/2hNIKcdPETRQNx5
         lElAnrkvRd51jbJGyp6ozzgfLzlFtvb+IdPdgiTn+Qlg6x0NdX/TYasO0lcXoAD/Psl+
         pTHQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding:cc:to:from
         :subject:mime-version:message-id:date:dkim-signature
         :arc-authentication-results;
        bh=uncWFNBjAkHw+l3xy4zcwJBPHd3qrgfhZmJUKb48q0c=;
        b=vqnN1+NZJVByfCfbuIxVH09I/Fp3nbs8EQWVmLEkPsgiMS6GXdyTjTqnH5Eb5KqY96
         DjWqs/wTqOFVK/an206Z19heQgKlie8SlR7dNZgSpiEYDwcKSbgZ4d1b+/FVFmbuarhm
         gP6WfpcXXai7vL2C6dIY+0Bqyxk85ggA/v4pyDaqocYVtLSm+QrQ8P6St2aXQfrMvRYx
         e2QxYHu1a9XE9Pgp4RoIrDrRSrW9cJ9lsgIvnl+y3bu1t9Giae38mCQnkPNy7qj0EiP4
         23zNmkqpERlJhl4F5sZvW2ukqu6FiALEeeBVrTR6O4+9cv6+8cze4m0gESxiOw4+NJzQ
         YEuQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@google.com header.s=20161025 header.b=Egh+OxHm;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id p4-v6si702111pfg.329.2018.06.19.15.26.36;
        Tue, 19 Jun 2018 15:26:50 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@google.com header.s=20161025 header.b=Egh+OxHm;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1752853AbeFSWYu (ORCPT <rfc822;lxz1983@gmail.com> + 99 others);
        Tue, 19 Jun 2018 18:24:50 -0400
Received: from mail-qt0-f202.google.com ([209.85.216.202]:32870 "EHLO
        mail-qt0-f202.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1751165AbeFSWYt (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 19 Jun 2018 18:24:49 -0400
Received: by mail-qt0-f202.google.com with SMTP id o68-v6so1072346qte.0
        for <linux-kernel@vger.kernel.org>; Tue, 19 Jun 2018 15:24:49 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20161025;
        h=date:message-id:mime-version:subject:from:to:cc
         :content-transfer-encoding;
        bh=uncWFNBjAkHw+l3xy4zcwJBPHd3qrgfhZmJUKb48q0c=;
        b=Egh+OxHmqVqc0196AnKJPsZMge4xRReguXonN880oI3zad4PWSz89VNbiofo8LkOAe
         M91ic58tuwT+7tQElo5QHWczfX/BQp2gDpO8h4Trkqw2VZZrsPeeSBkRZMfQdNh9rL0v
         vS4q9f+Cx2p9k1IPvvGLYW3nPMdOC6Z4AkIQNhn/hn+pA4rtP0LZMs0TV1EFrIweLhtC
         dszvN/YUL0iCXTw/0HzSinTfdoisyEIkAa3QyJzkS8gDWcaoN4ucHbsnhSAti+WqxiQD
         YY+S/iBcX5Oo5YjSM4+2el+2IJjF17OAoMQjeD7xBlkKIMC9VhXRt4JSbmjxFXidOHta
         qyfw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:date:message-id:mime-version:subject:from:to:cc
         :content-transfer-encoding;
        bh=uncWFNBjAkHw+l3xy4zcwJBPHd3qrgfhZmJUKb48q0c=;
        b=hBEdwUDdezKvqzh8/FhVrkdUYQ0TbJnjDFeswT1m8ZxT282MW9c5+gXxIUjX64ctGu
         DpZjEE5GHhjzeEyGSTXfqVKW5QUnMDS1r3wrQsNSGZ/Wou4wyr5FMYLLMn1AKkRSCbie
         YARenQl8TrqnmeZnthwAUPM0ZF9WJu5oCgLg+mfm5iBU5hPbF2QJw4A4ziOFxvzoIkka
         9P1S88zoCW64OgnM77doCim2L73+0FfNCk8w1b010oR/dwflSSnuo0kBDm7yKvJi/oHm
         tfvt9dpnpvw8xXqIxmfADMwHlreGAy9Xt0BcPuJ+0LddYLAxJfPcE5oo6V2CViPWzgJJ
         WvPA==
X-Gm-Message-State: APt69E2/iNmyPwmMhiS67IONnGvb/07dNPJwfwKK8OG/KIDKZu88Et8y
        wtI0kg44PwkgICptxGzJisGK0OCuJgzsItNUEPDXzfjHRYE5dMUmteyM0f8QL2Yrdwww0FhDCtB
        xK/QSBGDnYxzBNQhkOdAyDzUyAWnXqpezWTPh6ausoNesjwWGhkFyJVgvx4GXSUVMB57ZrhHPfL
        iH5Q==
X-Received: by 2002:a37:2785:: with SMTP id n127-v6mr10319398qkn.56.1529447088528;
 Tue, 19 Jun 2018 15:24:48 -0700 (PDT)
Date:   Tue, 19 Jun 2018 15:24:44 -0700
Message-Id: <20180619222444.134928-1-astrachan@google.com>
Mime-Version: 1.0
X-Mailer: git-send-email 2.18.0.rc1.244.gcf134e6275-goog
Subject: [PATCH] staging: android: ashmem: Fix mmap size validation
From:   Alistair Strachan <astrachan@google.com>
To:     linux-kernel@vger.kernel.org
Cc:     Alistair Strachan <astrachan@google.com>,
        Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        "=?UTF-8?q?Arve=20Hj=C3=B8nnev=C3=A5g?=" <arve@android.com>,
        Todd Kjos <tkjos@android.com>,
        Martijn Coenen <maco@android.com>, devel@driverdev.osuosl.org,
        kernel-team@android.com
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

The ashmem driver did not check that the size/offset of the vma passed
to its .mmap() function was not larger than the ashmem object being
mapped. This could cause mmap() to succeed, even though accessing parts
of the mapping would later fail with a segmentation fault.

Ensure an error is returned by the ashmem_mmap() function if the vma
size is larger than the ashmem object size. This enables safer handling
of the problem in userspace.

Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: Arve Hj=C3=B8nnev=C3=A5g <arve@android.com>
Cc: Todd Kjos <tkjos@android.com>
Cc: Martijn Coenen <maco@android.com>
Cc: devel@driverdev.osuosl.org
Cc: kernel-team@android.com
Signed-off-by: Alistair Strachan <astrachan@google.com>
---
 drivers/staging/android/ashmem.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/drivers/staging/android/ashmem.c b/drivers/staging/android/ash=
mem.c
index a1a0025b59e0..1eeedb529a10 100644
--- a/drivers/staging/android/ashmem.c
+++ b/drivers/staging/android/ashmem.c
@@ -366,6 +366,12 @@ static int ashmem_mmap(struct file *file, struct vm_ar=
ea_struct *vma)
 		goto out;
 	}
=20
+	/* requested mapping size larger than object size */
+	if (unlikely(vma->vm_end - vma->vm_start > PAGE_ALIGN(asma->size))) {
+		ret =3D -EINVAL;
+		goto out;
+	}
+
 	/* requested protection bits must match our allowed protection mask */
 	if (unlikely((vma->vm_flags & ~calc_vm_prot_bits(asma->prot_mask, 0)) &
 		     calc_vm_prot_bits(PROT_MASK, 0))) {