Received: by 2002:ac0:a581:0:0:0:0:0 with SMTP id m1-v6csp146507imm; Tue, 19 Jun 2018 17:59:04 -0700 (PDT) X-Google-Smtp-Source: ADUXVKLbq7zbCzzoH1wYviYsBI9W2UhaEWeh/R53+QIiwZpWLO2GLOgTnAQh4vUQFNbfU9Y4TiP5 X-Received: by 2002:a17:902:206:: with SMTP id 6-v6mr21292867plc.294.1529456344629; Tue, 19 Jun 2018 17:59:04 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1529456344; cv=none; d=google.com; s=arc-20160816; b=b1FKrrLBn4SIpf9v5+gf/ZZGd3v/JR0tUAK/8dd/OhH27BnHHdrmddwg3E+ouv6DbD RnXtSg/2UZ00cvnCW/eIAlpqJms5W86/PzOgzXr/NURnbhnVRLUEpKex5BldCzX2dMlP NHGSVEV5ye9lC1xLka0/VGndBNgJBojugngJSA36f0PPNuH5gpyeLS2/RQFya8/3GqiW KZ8sJfkZUgNTONvyFnIlMYVBncx7pNFiPxzUG8y3XiMhaS3XzL/bpTFAMZVy6xKOpgvd 6MmSnBSz74DfZA+/OMB2Du3UKHJ+FSEeWcUrGnnJI3/pAQFXYV7QRBn1etzkjr+EEPd7 eLog== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:cc:to:from :subject:references:mime-version:message-id:in-reply-to:date :dkim-signature:arc-authentication-results; bh=4i9Hw9/LDH2j4RtXKs7ySY6W5TSRQ5EvN9DnQLvFl2g=; b=jftABKd+h7UEHjR9UO5H4waVYGBCQ/ak8aKl1l/eOjQoCeDhoXOpKkQBkEbfQ3joWz IcjzSZJqa5IJ0AZD5MYP2LfuWhH6Frq4gvD6pVgQWa/humj/193uh1I+UxPys+GorA3J CPBlCUd9zpO0EK5oGXDkETQ53TLHMPngEmFeB2qJ0UprcAHzuNAVsMxXOc/ONku9KTx/ VwJaClIeK30BU7BmBvU30LJBXgry9IV7M2LisDHxNuQ/sReoLaEgPXNNmuwiMLJ8qN9K Yyo+mX6g1YA5OGof68yCD1eR0hfUU7CqwAW22jiQkW6JO2Q3dyKZq4T5yWCtnL7vtNMK DXKA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=KeFYAaHj; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id y20-v6si986471plr.55.2018.06.19.17.58.50; Tue, 19 Jun 2018 17:59:04 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=KeFYAaHj; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753930AbeFTA6G (ORCPT + 99 others); Tue, 19 Jun 2018 20:58:06 -0400 Received: from mail-yw0-f201.google.com ([209.85.161.201]:40210 "EHLO mail-yw0-f201.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753765AbeFTA6E (ORCPT ); Tue, 19 Jun 2018 20:58:04 -0400 Received: by mail-yw0-f201.google.com with SMTP id q6-v6so1033575ywa.7 for ; Tue, 19 Jun 2018 17:58:04 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc:content-transfer-encoding; bh=4i9Hw9/LDH2j4RtXKs7ySY6W5TSRQ5EvN9DnQLvFl2g=; b=KeFYAaHjbJ4ASBZMJkk1POx5ta/0P5MJ0kSQTHHB8c71Iz7DWXwdN8go/1ziA+uFgT vKADRMrE6m8+fhXq+JquWgcxtEgxW+MiFp2Ak7jw76mguL1Czu5VvX+7hRRD5nHFlXBU /W62MpcrAQiKECO2s0cc1sPrajHRwJIx/ZhIB9YODHOIKiTekLjxtvWI2JlevkKUBqau ccHao56G5WyLrb7AvbSz6zGqxZJ8ecM7nKX8gv9/BctFl3HMCGHIZ9CT05gNk30yZGnL 7EtnKuuy9bMthssfENaR0wkH6yM9EPu0ENlMe39/BSIbkmu4mfugvAyt/XoCSTu1LZwb NQQg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc:content-transfer-encoding; bh=4i9Hw9/LDH2j4RtXKs7ySY6W5TSRQ5EvN9DnQLvFl2g=; b=XJUnvNoi+isMZjvt1oaxhwLsc+WPrQ58VaFQ02BYHrtrLK5vfebZ+67z+OaaFq/Tif hLNVrTXrgVtXI1sHj4MeizuF1OplBuEAWK77BJu7s5V10Os/PkMRxMfZ8pen78/xiV89 0OPSJCyK/ASVDCesW3dnQp4a3BB65016Io486brgDZPJ+n+yM5cMmD1Ep25VdWr3M7oj 2f/+VidbycJrhTCsHkUQOmy/QpZGcisKjBcCHZslNwSmDx9kmgSV0cccRMcagXahNMPc 14RKtnTjCpQtvn2aQBrsMZZhzLr/uc8g3VFadjVkg4hyB1079N15+1CpFn9bhg6Qfj/Z ur5w== X-Gm-Message-State: APt69E0iarw3400HZ0xFx0SIizIJImD5vGTmlyIUNa6MozCVjP4fgTd0 bZOBkGeUl182puf280fMINgQPt8RDhiAoj5W0GRL0MOCbeFX+4PRUnfnXhY6nWp9XTln+1TH8J8 BJX7oP5SF+ggdY0kQ+33/4xHGbHY2kzX9zIpN01opOhoRyea55tibRExXjcas4CEebetFmzDSHs URww== X-Received: by 2002:a5b:54c:: with SMTP id r12-v6mr1016158ybp.53.1529456283361; Tue, 19 Jun 2018 17:58:03 -0700 (PDT) Date: Tue, 19 Jun 2018 17:57:35 -0700 In-Reply-To: <20180620005735.219840-1-astrachan@google.com> Message-Id: <20180620005735.219840-2-astrachan@google.com> Mime-Version: 1.0 References: <20180620005735.219840-1-astrachan@google.com> X-Mailer: git-send-email 2.18.0.rc1.244.gcf134e6275-goog Subject: [PATCH 2/2 v2] staging: android: ashmem: Fix mmap size validation From: Alistair Strachan To: linux-kernel@vger.kernel.org Cc: Alistair Strachan , Greg Kroah-Hartman , "=?UTF-8?q?Arve=20Hj=C3=B8nnev=C3=A5g?=" , Todd Kjos , Martijn Coenen , devel@driverdev.osuosl.org, kernel-team@android.com, Joel Fernandes Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org The ashmem driver did not check that the size/offset of the vma passed to its .mmap() function was not larger than the ashmem object being mapped. This could cause mmap() to succeed, even though accessing parts of the mapping would later fail with a segmentation fault. Ensure an error is returned by the ashmem_mmap() function if the vma size is larger than the ashmem object size. This enables safer handling of the problem in userspace. Cc: Greg Kroah-Hartman Cc: Arve Hj=C3=B8nnev=C3=A5g Cc: Todd Kjos Cc: Martijn Coenen Cc: devel@driverdev.osuosl.org Cc: linux-kernel@vger.kernel.org Cc: kernel-team@android.com Cc: Joel Fernandes Signed-off-by: Alistair Strachan --- v2: Removed unnecessary use of unlikely() macro drivers/staging/android/ashmem.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/drivers/staging/android/ashmem.c b/drivers/staging/android/ash= mem.c index c6386e4f5c9b..e392358ec244 100644 --- a/drivers/staging/android/ashmem.c +++ b/drivers/staging/android/ashmem.c @@ -366,6 +366,12 @@ static int ashmem_mmap(struct file *file, struct vm_ar= ea_struct *vma) goto out; } =20 + /* requested mapping size larger than object size */ + if (vma->vm_end - vma->vm_start > PAGE_ALIGN(asma->size)) { + ret =3D -EINVAL; + goto out; + } + /* requested protection bits must match our allowed protection mask */ if ((vma->vm_flags & ~calc_vm_prot_bits(asma->prot_mask, 0)) & calc_vm_prot_bits(PROT_MASK, 0)) {