Received: by 2002:ac0:a581:0:0:0:0:0 with SMTP id m1-v6csp146507imm;
        Tue, 19 Jun 2018 17:59:04 -0700 (PDT)
X-Google-Smtp-Source: ADUXVKLbq7zbCzzoH1wYviYsBI9W2UhaEWeh/R53+QIiwZpWLO2GLOgTnAQh4vUQFNbfU9Y4TiP5
X-Received: by 2002:a17:902:206:: with SMTP id 6-v6mr21292867plc.294.1529456344629;
        Tue, 19 Jun 2018 17:59:04 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1529456344; cv=none;
        d=google.com; s=arc-20160816;
        b=b1FKrrLBn4SIpf9v5+gf/ZZGd3v/JR0tUAK/8dd/OhH27BnHHdrmddwg3E+ouv6DbD
         RnXtSg/2UZ00cvnCW/eIAlpqJms5W86/PzOgzXr/NURnbhnVRLUEpKex5BldCzX2dMlP
         NHGSVEV5ye9lC1xLka0/VGndBNgJBojugngJSA36f0PPNuH5gpyeLS2/RQFya8/3GqiW
         KZ8sJfkZUgNTONvyFnIlMYVBncx7pNFiPxzUG8y3XiMhaS3XzL/bpTFAMZVy6xKOpgvd
         6MmSnBSz74DfZA+/OMB2Du3UKHJ+FSEeWcUrGnnJI3/pAQFXYV7QRBn1etzkjr+EEPd7
         eLog==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding:cc:to:from
         :subject:references:mime-version:message-id:in-reply-to:date
         :dkim-signature:arc-authentication-results;
        bh=4i9Hw9/LDH2j4RtXKs7ySY6W5TSRQ5EvN9DnQLvFl2g=;
        b=jftABKd+h7UEHjR9UO5H4waVYGBCQ/ak8aKl1l/eOjQoCeDhoXOpKkQBkEbfQ3joWz
         IcjzSZJqa5IJ0AZD5MYP2LfuWhH6Frq4gvD6pVgQWa/humj/193uh1I+UxPys+GorA3J
         CPBlCUd9zpO0EK5oGXDkETQ53TLHMPngEmFeB2qJ0UprcAHzuNAVsMxXOc/ONku9KTx/
         VwJaClIeK30BU7BmBvU30LJBXgry9IV7M2LisDHxNuQ/sReoLaEgPXNNmuwiMLJ8qN9K
         Yyo+mX6g1YA5OGof68yCD1eR0hfUU7CqwAW22jiQkW6JO2Q3dyKZq4T5yWCtnL7vtNMK
         DXKA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@google.com header.s=20161025 header.b=KeFYAaHj;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id y20-v6si986471plr.55.2018.06.19.17.58.50;
        Tue, 19 Jun 2018 17:59:04 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@google.com header.s=20161025 header.b=KeFYAaHj;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1753930AbeFTA6G (ORCPT <rfc822;fezhang.suse@gmail.com>
        + 99 others); Tue, 19 Jun 2018 20:58:06 -0400
Received: from mail-yw0-f201.google.com ([209.85.161.201]:40210 "EHLO
        mail-yw0-f201.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1753765AbeFTA6E (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 19 Jun 2018 20:58:04 -0400
Received: by mail-yw0-f201.google.com with SMTP id q6-v6so1033575ywa.7
        for <linux-kernel@vger.kernel.org>; Tue, 19 Jun 2018 17:58:04 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20161025;
        h=date:in-reply-to:message-id:mime-version:references:subject:from:to
         :cc:content-transfer-encoding;
        bh=4i9Hw9/LDH2j4RtXKs7ySY6W5TSRQ5EvN9DnQLvFl2g=;
        b=KeFYAaHjbJ4ASBZMJkk1POx5ta/0P5MJ0kSQTHHB8c71Iz7DWXwdN8go/1ziA+uFgT
         vKADRMrE6m8+fhXq+JquWgcxtEgxW+MiFp2Ak7jw76mguL1Czu5VvX+7hRRD5nHFlXBU
         /W62MpcrAQiKECO2s0cc1sPrajHRwJIx/ZhIB9YODHOIKiTekLjxtvWI2JlevkKUBqau
         ccHao56G5WyLrb7AvbSz6zGqxZJ8ecM7nKX8gv9/BctFl3HMCGHIZ9CT05gNk30yZGnL
         7EtnKuuy9bMthssfENaR0wkH6yM9EPu0ENlMe39/BSIbkmu4mfugvAyt/XoCSTu1LZwb
         NQQg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:date:in-reply-to:message-id:mime-version
         :references:subject:from:to:cc:content-transfer-encoding;
        bh=4i9Hw9/LDH2j4RtXKs7ySY6W5TSRQ5EvN9DnQLvFl2g=;
        b=XJUnvNoi+isMZjvt1oaxhwLsc+WPrQ58VaFQ02BYHrtrLK5vfebZ+67z+OaaFq/Tif
         hLNVrTXrgVtXI1sHj4MeizuF1OplBuEAWK77BJu7s5V10Os/PkMRxMfZ8pen78/xiV89
         0OPSJCyK/ASVDCesW3dnQp4a3BB65016Io486brgDZPJ+n+yM5cMmD1Ep25VdWr3M7oj
         2f/+VidbycJrhTCsHkUQOmy/QpZGcisKjBcCHZslNwSmDx9kmgSV0cccRMcagXahNMPc
         14RKtnTjCpQtvn2aQBrsMZZhzLr/uc8g3VFadjVkg4hyB1079N15+1CpFn9bhg6Qfj/Z
         ur5w==
X-Gm-Message-State: APt69E0iarw3400HZ0xFx0SIizIJImD5vGTmlyIUNa6MozCVjP4fgTd0
        bZOBkGeUl182puf280fMINgQPt8RDhiAoj5W0GRL0MOCbeFX+4PRUnfnXhY6nWp9XTln+1TH8J8
        BJX7oP5SF+ggdY0kQ+33/4xHGbHY2kzX9zIpN01opOhoRyea55tibRExXjcas4CEebetFmzDSHs
        URww==
X-Received: by 2002:a5b:54c:: with SMTP id r12-v6mr1016158ybp.53.1529456283361;
 Tue, 19 Jun 2018 17:58:03 -0700 (PDT)
Date:   Tue, 19 Jun 2018 17:57:35 -0700
In-Reply-To: <20180620005735.219840-1-astrachan@google.com>
Message-Id: <20180620005735.219840-2-astrachan@google.com>
Mime-Version: 1.0
References: <20180620005735.219840-1-astrachan@google.com>
X-Mailer: git-send-email 2.18.0.rc1.244.gcf134e6275-goog
Subject: [PATCH 2/2 v2] staging: android: ashmem: Fix mmap size validation
From:   Alistair Strachan <astrachan@google.com>
To:     linux-kernel@vger.kernel.org
Cc:     Alistair Strachan <astrachan@google.com>,
        Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        "=?UTF-8?q?Arve=20Hj=C3=B8nnev=C3=A5g?=" <arve@android.com>,
        Todd Kjos <tkjos@android.com>,
        Martijn Coenen <maco@android.com>, devel@driverdev.osuosl.org,
        kernel-team@android.com, Joel Fernandes <joel@joelfernandes.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

The ashmem driver did not check that the size/offset of the vma passed
to its .mmap() function was not larger than the ashmem object being
mapped. This could cause mmap() to succeed, even though accessing parts
of the mapping would later fail with a segmentation fault.

Ensure an error is returned by the ashmem_mmap() function if the vma
size is larger than the ashmem object size. This enables safer handling
of the problem in userspace.

Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: Arve Hj=C3=B8nnev=C3=A5g <arve@android.com>
Cc: Todd Kjos <tkjos@android.com>
Cc: Martijn Coenen <maco@android.com>
Cc: devel@driverdev.osuosl.org
Cc: linux-kernel@vger.kernel.org
Cc: kernel-team@android.com
Cc: Joel Fernandes <joel@joelfernandes.org>
Signed-off-by: Alistair Strachan <astrachan@google.com>
---
v2: Removed unnecessary use of unlikely() macro

 drivers/staging/android/ashmem.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/drivers/staging/android/ashmem.c b/drivers/staging/android/ash=
mem.c
index c6386e4f5c9b..e392358ec244 100644
--- a/drivers/staging/android/ashmem.c
+++ b/drivers/staging/android/ashmem.c
@@ -366,6 +366,12 @@ static int ashmem_mmap(struct file *file, struct vm_ar=
ea_struct *vma)
 		goto out;
 	}
=20
+	/* requested mapping size larger than object size */
+	if (vma->vm_end - vma->vm_start > PAGE_ALIGN(asma->size)) {
+		ret =3D -EINVAL;
+		goto out;
+	}
+
 	/* requested protection bits must match our allowed protection mask */
 	if ((vma->vm_flags & ~calc_vm_prot_bits(asma->prot_mask, 0)) &
 	    calc_vm_prot_bits(PROT_MASK, 0)) {