Received: by 2002:a25:8b91:0:0:0:0:0 with SMTP id j17csp815742ybl; Wed, 11 Dec 2019 07:57:30 -0800 (PST) X-Google-Smtp-Source: APXvYqyKEecNpr1EKeqo8bdYdPn/pHtK6YnJ9SJbx5YTnawSALWW7duXARQPID4oB4sxDSPSuYlZ X-Received: by 2002:aca:52c4:: with SMTP id g187mr3392945oib.76.1576079850580; Wed, 11 Dec 2019 07:57:30 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1576079850; cv=none; d=google.com; s=arc-20160816; b=hXeHUOivFtyJz6n/m/oNB9QSuUKQBM/lOs2K64eurfqP6YdwS/7CCvcqmT10e0YZeQ zswIz+SmpTto0FEZsafxmpK0vZ0WAaOaSXNcg6N4G0G4/wmdsjSLNu1vOKdBRWzH2ujf EiCz37hKAR5CALuSHGvTCfU0W+/EEvE57pVYSRzDDB0JW5JGl9IzrqhonStplyiLNkOI sutqSb/YLTtw1dEdoeKU+4uq8wi74KuFWX0EkWWxcCmUcioM4kB3DSmJpZH+RIJM7oE7 ObjBZjzHLT2/Jh12gjqeuFd1A6nFMDNcTZS3p4o/sqvf7cBY7sdMZhGEkQ9P5OnrX4PG Wz8w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=wzDnKa1wL1UxruyUkNa+uxJ65ZSHB7jyBKq8PfPxgmg=; b=kfX+vNY8jjYLomlDyHq/WtMkuXfuToLbPFRdKaXWlJPFdWZrj9WJHzkVWjzserTZNa r0no2q2IlbSSynYiXvYcqagjBD+Vo2hMBF8DD+6KeH9HHDjNvL7pHW+aywCcH/rY1BpQ pDn8Brjyv5modwBHJDBJ3tSKpZilAQ3pnZZOkrrEhdqYmRzxB/2hq8Y322IqEpOhZf0x 8oLX5kxECwIxJr8vES8kVbM8wZT1uH6Srlsv6gMfPrmlh9Zcq4luv/mD6J2WUoQo/vy1 5coDV/H2ztB1MEucR603QyDi5HbPHGOltxTvYw2MZotQKg8H5UI/rgk4uLtWWT1fpGqB xGZA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=bLeHIJZ8; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id j23si1200175otr.48.2019.12.11.07.57.18; Wed, 11 Dec 2019 07:57:30 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=bLeHIJZ8; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732256AbfLKP4J (ORCPT + 99 others); Wed, 11 Dec 2019 10:56:09 -0500 Received: from mail.kernel.org ([198.145.29.99]:41860 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1731802AbfLKPPb (ORCPT ); Wed, 11 Dec 2019 10:15:31 -0500 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id DD24020663; Wed, 11 Dec 2019 15:15:30 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1576077331; bh=5C/viSkFRj3DF/5+noj7PCPu039K0DAERLDB0HULPn0=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=bLeHIJZ86P5Cfb7NQCAF5VYhq+kQBbA2wbzION3d/Nd5wkYIxunL61EZfWae8PmrK J6TdzpzmVQcvnOEpXxbUPrkE2LsiG/Bj1PzueyaLR9yEeUieNsJL8ZPIs/E+RAljpr E5Awasvqb2zSnoGD+4LcxYpMgUFFvg0A7n1IkpCc= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Jann Horn , Christian Brauner Subject: [PATCH 5.3 104/105] binder: Prevent repeated use of ->mmap() via NULL mapping Date: Wed, 11 Dec 2019 16:06:33 +0100 Message-Id: <20191211150306.087939736@linuxfoundation.org> X-Mailer: git-send-email 2.24.1 In-Reply-To: <20191211150221.153659747@linuxfoundation.org> References: <20191211150221.153659747@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Jann Horn commit a7a74d7ff55a0c657bc46238b050460b9eacea95 upstream. binder_alloc_mmap_handler() attempts to detect the use of ->mmap() on a binder_proc whose binder_alloc has already been initialized by checking whether alloc->buffer is non-zero. Before commit 880211667b20 ("binder: remove kernel vm_area for buffer space"), alloc->buffer was a kernel mapping address, which is always non-zero, but since that commit, it is a userspace mapping address. A sufficiently privileged user can map /dev/binder at NULL, tricking binder_alloc_mmap_handler() into assuming that the binder_proc has not been mapped yet. This leads to memory unsafety. Luckily, no context on Android has such privileges, and on a typical Linux desktop system, you need to be root to do that. Fix it by using the mapping size instead of the mapping address to distinguish the mapped case. A valid VMA can't have size zero. Fixes: 880211667b20 ("binder: remove kernel vm_area for buffer space") Cc: stable@vger.kernel.org Signed-off-by: Jann Horn Acked-by: Christian Brauner Link: https://lore.kernel.org/r/20191018205631.248274-2-jannh@google.com Signed-off-by: Greg Kroah-Hartman --- drivers/android/binder_alloc.c | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) --- a/drivers/android/binder_alloc.c +++ b/drivers/android/binder_alloc.c @@ -681,17 +681,17 @@ int binder_alloc_mmap_handler(struct bin struct binder_buffer *buffer; mutex_lock(&binder_alloc_mmap_lock); - if (alloc->buffer) { + if (alloc->buffer_size) { ret = -EBUSY; failure_string = "already mapped"; goto err_already_mapped; } + alloc->buffer_size = min_t(unsigned long, vma->vm_end - vma->vm_start, + SZ_4M); + mutex_unlock(&binder_alloc_mmap_lock); alloc->buffer = (void __user *)vma->vm_start; - mutex_unlock(&binder_alloc_mmap_lock); - alloc->buffer_size = min_t(unsigned long, vma->vm_end - vma->vm_start, - SZ_4M); alloc->pages = kcalloc(alloc->buffer_size / PAGE_SIZE, sizeof(alloc->pages[0]), GFP_KERNEL); @@ -722,8 +722,9 @@ err_alloc_buf_struct_failed: kfree(alloc->pages); alloc->pages = NULL; err_alloc_pages_failed: - mutex_lock(&binder_alloc_mmap_lock); alloc->buffer = NULL; + mutex_lock(&binder_alloc_mmap_lock); + alloc->buffer_size = 0; err_already_mapped: mutex_unlock(&binder_alloc_mmap_lock); binder_alloc_debug(BINDER_DEBUG_USER_ERROR,