Received: by 2002:a25:8b91:0:0:0:0:0 with SMTP id j17csp3921185ybl; Mon, 27 Jan 2020 13:01:27 -0800 (PST) X-Google-Smtp-Source: APXvYqzfJgfABmVywp+qs4OB7XPe8VzLhFAVRAyGzV9D/dfkb1KLfUG5GoDivD3yoJN4WktGGP6H X-Received: by 2002:a05:6808:105:: with SMTP id b5mr669223oie.133.1580158887075; Mon, 27 Jan 2020 13:01:27 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1580158887; cv=none; d=google.com; s=arc-20160816; b=GqubSNyAjnCaUNyDsnAANsAZ7dGCk/UfjJ8iW8/EEzcmMOhjvEx45FBhSyI7Lz98Dc J19Sh+tQ5IqhY+zFohs21gB7JCRvcoLv0Sw2SB+wvafoNUmhx69k4MNMD6wS6QnDB5mU Vv2347FFGCsP3hFKarn/5TWcC/iSlcbJXG/T16cjPSjhmqVRj3QS+K/zM+7g+AuDoPSP TsQKrBDxq/QK5PUchsSKjrvUDL5s/t8ej5VGaikpjoq/981K65YaZkZfAVEv6qxoh2T6 uCM++71MVENOVsP4utb9NGV2Ayuxf1qeYWUg6R3cfDxiRMHct+b1SG3wOfo/88Yy4PJ2 XrCw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:from:subject:mime-version :message-id:date:dkim-signature; bh=CAH2JUZfxl1gXiFoCO0/GCKYjJBCGBSmgeGFBkbRVI0=; b=eIjXKNL2msCRmduu7e0hRxpXI9OXQmck+IOzxHkb6ZWXw6tyaP2LQHJ+WqfeXfVrkv riRR3Hyd6viQ1j01BTna/QdtuezAKEwebOoEWgVfqSINqiMRItsq4yjM6Ia1/3lHkBzs 8sxWUiwRNiQwtnWA49ca4CFBer7bblaxyVwttM0iiAYmYtLd+1wIj2iISZvM+Jn3c69o TPoAzINfyy8ASTzksB8nFPVUoK6qsPphmj2AFmxjXKrG7bEfCAAwPl3/m3Iv7BKO/p+t j8b4NMkh67cr+icJ9yIFdQNDWuO3gLIMaD0uySL8u0djy0oXQcaqPg1ZCWTlbd2NoDpz ScwA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=vRafyqqd; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id f23si7573447oto.205.2020.01.27.13.01.13; Mon, 27 Jan 2020 13:01:27 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=vRafyqqd; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726181AbgA0VAT (ORCPT + 99 others); Mon, 27 Jan 2020 16:00:19 -0500 Received: from mail-pj1-f73.google.com ([209.85.216.73]:56228 "EHLO mail-pj1-f73.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726049AbgA0VAT (ORCPT ); Mon, 27 Jan 2020 16:00:19 -0500 Received: by mail-pj1-f73.google.com with SMTP id s6so12791pjr.5 for ; Mon, 27 Jan 2020 13:00:19 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:message-id:mime-version:subject:from:to:cc; bh=CAH2JUZfxl1gXiFoCO0/GCKYjJBCGBSmgeGFBkbRVI0=; b=vRafyqqdBsTOJgglJmYV5o0OlpyXwllJ3p28sfmm8WEusJw/8TTAuXROIItQFjhfru FoTeyhiVZvrzp0JIm8RXe97PvQkILEt6fOIfd5MLGgbRHwVUGQteeanpwnUNFpDbUmET yeUbkiANImftfw/XgIYW3iLbk9Ux/ghJ7Er+nvIxtGeyx3r4mpmfFWUtKxwkBLylRjuW jzAHdXNaxHvnNn+PhPXHv3feb90RvDruMJozvNa2ceu9wpj55ZA+suoil28EMWaYbUp1 gY9llY8XBheRi/d3lSNUfkp4knvPXUGgFng3P5++sDeiWH/SxzYSdXyD/WICjNpLKhfy d9VA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:message-id:mime-version:subject:from:to:cc; bh=CAH2JUZfxl1gXiFoCO0/GCKYjJBCGBSmgeGFBkbRVI0=; b=ZIZQVcXs/QotSdViR301eqM5fz00ohefPkcjn7wNDF+vqVAaH0CZQsv2fYzhx5zNS6 yn3HuqNY1GYw3WdMVp5tDXtuiskz2b6tUxsm4zKldp8vupejEWgwfabcSIJ10sC4MgL+ 81R18LMOGVr/xyrE6KmRiFCMuqqyhfbfmoX7LRaSBlzKt3c5WkmIVgfL+MZn2CaL0Okq li6PKMVDI4Y7nxGNx4JOwpwjwJdw6yFezZQA55MQ4apbSjxnoCj8BiwZUwWEKTfaCGae 0xCbm8Hb07BY682XyXIgdITuLaFeLFYdsLh5XzqHRi0v8ZebGV3DWhYNXlGpmqbT9EHC FgKw== X-Gm-Message-State: APjAAAVYhd1koV1doFXnTfilCO4BG8WdDvtIGj0tL8cfBpOj8NgpxIXU 5+ezBf59mqUULozh+x7QkgfLvVsMWA== X-Received: by 2002:a63:4503:: with SMTP id s3mr21629876pga.311.1580158818711; Mon, 27 Jan 2020 13:00:18 -0800 (PST) Date: Mon, 27 Jan 2020 13:00:14 -0800 Message-Id: <20200127210014.5207-1-tkjos@google.com> Mime-Version: 1.0 X-Mailer: git-send-email 2.25.0.341.g760bfbb309-goog Subject: [PATCH] staging: android: ashmem: Disallow ashmem memory from being remapped From: Todd Kjos To: tkjos@google.com, surenb@google.com, gregkh@linuxfoundation.org, arve@android.com, devel@driverdev.osuosl.org, linux-kernel@vger.kernel.org, maco@google.com Cc: joel@joelfernandes.org, kernel-team@android.com, Jann Horn , stable Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Suren Baghdasaryan When ashmem file is being mmapped the resulting vma->vm_file points to the backing shmem file with the generic fops that do not check ashmem permissions like fops of ashmem do. Fix that by disallowing mapping operation for backing shmem file. Reported-by: Jann Horn Signed-off-by: Suren Baghdasaryan Cc: stable # 4.4,4.9,4.14,4.18,5.4 Signed-off-by: Todd Kjos --- drivers/staging/android/ashmem.c | 28 ++++++++++++++++++++++++++++ 1 file changed, 28 insertions(+) diff --git a/drivers/staging/android/ashmem.c b/drivers/staging/android/ashmem.c index 74d497d39c5a..c6695354b123 100644 --- a/drivers/staging/android/ashmem.c +++ b/drivers/staging/android/ashmem.c @@ -351,8 +351,23 @@ static inline vm_flags_t calc_vm_may_flags(unsigned long prot) _calc_vm_trans(prot, PROT_EXEC, VM_MAYEXEC); } +static int ashmem_vmfile_mmap(struct file *file, struct vm_area_struct *vma) +{ + /* do not allow to mmap ashmem backing shmem file directly */ + return -EPERM; +} + +static unsigned long +ashmem_vmfile_get_unmapped_area(struct file *file, unsigned long addr, + unsigned long len, unsigned long pgoff, + unsigned long flags) +{ + return current->mm->get_unmapped_area(file, addr, len, pgoff, flags); +} + static int ashmem_mmap(struct file *file, struct vm_area_struct *vma) { + static struct file_operations vmfile_fops; struct ashmem_area *asma = file->private_data; int ret = 0; @@ -393,6 +408,19 @@ static int ashmem_mmap(struct file *file, struct vm_area_struct *vma) } vmfile->f_mode |= FMODE_LSEEK; asma->file = vmfile; + /* + * override mmap operation of the vmfile so that it can't be + * remapped which would lead to creation of a new vma with no + * asma permission checks. Have to override get_unmapped_area + * as well to prevent VM_BUG_ON check for f_ops modification. + */ + if (!vmfile_fops.mmap) { + vmfile_fops = *vmfile->f_op; + vmfile_fops.mmap = ashmem_vmfile_mmap; + vmfile_fops.get_unmapped_area = + ashmem_vmfile_get_unmapped_area; + } + vmfile->f_op = &vmfile_fops; } get_file(asma->file); -- 2.25.0.341.g760bfbb309-goog