Received: by 2002:a25:d7c1:0:0:0:0:0 with SMTP id o184csp2255911ybg;
        Sun, 27 Oct 2019 14:31:10 -0700 (PDT)
X-Google-Smtp-Source: APXvYqwPKyyyQW8U2f9vP2fS7ieQCwF3daZY5wZ3/ln4P80MiDdhZg3Jo7RW11nXcdH/89GDg28F
X-Received: by 2002:a17:906:4d4f:: with SMTP id b15mr13423139ejv.81.1572211869785;
        Sun, 27 Oct 2019 14:31:09 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1572211869; cv=none;
        d=google.com; s=arc-20160816;
        b=rhxl/NjxzM2dJyHoplkf5P7r1Tiqd7oOpVlo6RdDP/qHycHjscOHpe4gNZkVEp9B0G
         HezoP3XNsuwT1d//d2ZVjLAW6t+X8nLyifqo9tPsYEbhbz64G67wI/sGZRgl444FJhH0
         mMWCQMcgXhSPqef3VoqqmjJyVOgb1ynbjE/GSegJk9v2bZMpLOa7UyZW7G+FlpHHsrr4
         IT83zE69fsXnhlTCIrBpFsN2x65McGLfrKVxcoWDzaFHaw3CFaEshGTTma4e8cnvPIE9
         DV2BKd/QFC29xOYGF19uUVhtN/UQ3S6nBg99lDtwBmgohbL+ip7YMFiOi5XU00GsimJ0
         DL2Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:message-id:date:subject:cc:to
         :from:dkim-signature;
        bh=VwJlqHFrJe0cPYitv4aOlFsdsUef2Q6m+jvV5Q9ypls=;
        b=ZG9WKH0GlWbAsTbGjMc21rV7WiDfrExPNBh2wweMXkIj3q0orwxizjOIa3uQPm262R
         DXTx2zEdvPUb47PCiQtGwX8mP06g/OU1m+LyFYkjnI9N0LS2+HF3lf/gpgG6ejOw8JoU
         WlT57ONUXBDNk8gsmQKQHRcrwUbNtvhCIxJtwxqaeO4sWzTtlIgvZibs3o3jHxJhvMmA
         DRXQ4V7q0ljIPwj94uSB05qEW0aosnYhwpxIGmAC4cPEqo0VdAqpN8gc0WUFeUqAw5Bk
         yMsATu2ib6LCgoVdPbP5kQfeiZH0o03v2iWGQQCXHW05z7GYIox8Tv0JJTu8CQMYrCDs
         EB1g==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=zQQw8YS+;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id dt26si4855846ejb.38.2019.10.27.14.30.46;
        Sun, 27 Oct 2019 14:31:09 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=zQQw8YS+;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1732019AbfJ0VVx (ORCPT <rfc822;hackukernel@gmail.com>
        + 99 others); Sun, 27 Oct 2019 17:21:53 -0400
Received: from mail.kernel.org ([198.145.29.99]:42748 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1732003AbfJ0VVv (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Sun, 27 Oct 2019 17:21:51 -0400
Received: from localhost (100.50.158.77.rev.sfr.net [77.158.50.100])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by mail.kernel.org (Postfix) with ESMTPSA id B5CF4205C9;
        Sun, 27 Oct 2019 21:21:48 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
        s=default; t=1572211309;
        bh=ZsDH3NgIiIv8WoNggeN0CAZhb5agtvBUOhbYhrM+c1E=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=zQQw8YS+gWtCevP7F/nMAxmweZB3VENKiJIcuwPvV5XGwHyajPvVKA26PQqHcMHNC
         dr7tRrrNzIHEalXHaisOTysASE+aiuYJlxcwObVLJn+0r7F+fqX+kj8pZwka1L8YwO
         RSkM0OdYW6yTnk9XeRyuqTu/9FmSUZ0pCrUJaXQM=
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org, Jann Horn <jannh@google.com>,
        Todd Kjos <tkjos@google.com>,
        Christian Brauner <christian.brauner@ubuntu.com>
Subject: [PATCH 5.3 106/197] binder: Dont modify VMA bounds in ->mmap handler
Date:   Sun, 27 Oct 2019 22:00:24 +0100
Message-Id: <20191027203357.480111405@linuxfoundation.org>
X-Mailer: git-send-email 2.23.0
In-Reply-To: <20191027203351.684916567@linuxfoundation.org>
References: <20191027203351.684916567@linuxfoundation.org>
User-Agent: quilt/0.66
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

From: Jann Horn <jannh@google.com>

commit 45d02f79b539073b76077836871de6b674e36eb4 upstream.

binder_mmap() tries to prevent the creation of overly big binder mappings
by silently truncating the size of the VMA to 4MiB. However, this violates
the API contract of mmap(). If userspace attempts to create a large binder
VMA, and later attempts to unmap that VMA, it will call munmap() on a range
beyond the end of the VMA, which may have been allocated to another VMA in
the meantime. This can lead to userspace memory corruption.

The following sequence of calls leads to a segfault without this commit:

int main(void) {
  int binder_fd = open("/dev/binder", O_RDWR);
  if (binder_fd == -1) err(1, "open binder");
  void *binder_mapping = mmap(NULL, 0x800000UL, PROT_READ, MAP_SHARED,
                              binder_fd, 0);
  if (binder_mapping == MAP_FAILED) err(1, "mmap binder");
  void *data_mapping = mmap(NULL, 0x400000UL, PROT_READ|PROT_WRITE,
                            MAP_PRIVATE|MAP_ANONYMOUS, -1, 0);
  if (data_mapping == MAP_FAILED) err(1, "mmap data");
  munmap(binder_mapping, 0x800000UL);
  *(char*)data_mapping = 1;
  return 0;
}

Cc: stable@vger.kernel.org
Signed-off-by: Jann Horn <jannh@google.com>
Acked-by: Todd Kjos <tkjos@google.com>
Acked-by: Christian Brauner <christian.brauner@ubuntu.com>
Link: https://lore.kernel.org/r/20191016150119.154756-1-jannh@google.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/android/binder.c       |    7 -------
 drivers/android/binder_alloc.c |    6 ++++--
 2 files changed, 4 insertions(+), 9 deletions(-)

--- a/drivers/android/binder.c
+++ b/drivers/android/binder.c
@@ -95,10 +95,6 @@ DEFINE_SHOW_ATTRIBUTE(proc);
 #define SZ_1K                               0x400
 #endif
 
-#ifndef SZ_4M
-#define SZ_4M                               0x400000
-#endif
-
 #define FORBIDDEN_MMAP_FLAGS                (VM_WRITE)
 
 enum {
@@ -5195,9 +5191,6 @@ static int binder_mmap(struct file *filp
 	if (proc->tsk != current->group_leader)
 		return -EINVAL;
 
-	if ((vma->vm_end - vma->vm_start) > SZ_4M)
-		vma->vm_end = vma->vm_start + SZ_4M;
-
 	binder_debug(BINDER_DEBUG_OPEN_CLOSE,
 		     "%s: %d %lx-%lx (%ld K) vma %lx pagep %lx\n",
 		     __func__, proc->pid, vma->vm_start, vma->vm_end,
--- a/drivers/android/binder_alloc.c
+++ b/drivers/android/binder_alloc.c
@@ -22,6 +22,7 @@
 #include <asm/cacheflush.h>
 #include <linux/uaccess.h>
 #include <linux/highmem.h>
+#include <linux/sizes.h>
 #include "binder_alloc.h"
 #include "binder_trace.h"
 
@@ -689,7 +690,9 @@ int binder_alloc_mmap_handler(struct bin
 	alloc->buffer = (void __user *)vma->vm_start;
 	mutex_unlock(&binder_alloc_mmap_lock);
 
-	alloc->pages = kcalloc((vma->vm_end - vma->vm_start) / PAGE_SIZE,
+	alloc->buffer_size = min_t(unsigned long, vma->vm_end - vma->vm_start,
+				   SZ_4M);
+	alloc->pages = kcalloc(alloc->buffer_size / PAGE_SIZE,
 			       sizeof(alloc->pages[0]),
 			       GFP_KERNEL);
 	if (alloc->pages == NULL) {
@@ -697,7 +700,6 @@ int binder_alloc_mmap_handler(struct bin
 		failure_string = "alloc page array";
 		goto err_alloc_pages_failed;
 	}
-	alloc->buffer_size = vma->vm_end - vma->vm_start;
 
 	buffer = kzalloc(sizeof(*buffer), GFP_KERNEL);
 	if (!buffer) {