Received: by 2002:a25:8b91:0:0:0:0:0 with SMTP id j17csp4091207ybl; Mon, 27 Jan 2020 16:29:02 -0800 (PST) X-Google-Smtp-Source: APXvYqzd0qT0BMFkxPUhSRAR1VGqWWdpjWqgpqrlV+5z8D5lGSh1zzlZrqIXxaAaSODTSkYTFCce X-Received: by 2002:a05:6830:140b:: with SMTP id v11mr8160943otp.340.1580171342571; Mon, 27 Jan 2020 16:29:02 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1580171342; cv=none; d=google.com; s=arc-20160816; b=kFCvyEkztcJSHFZxnehf6pWOeKlBzdz2mPNSDXGIdMFWzZ+fE0GGfVOVG643xsI8YD N/n90Hpey9Os5l3X/ks/Y3kdIRcm5QX62JDLu7qFTjmB2ty7x4+yxfo9Gdfb2kcUuJus 2gwHW5BciGQ+5Bs0T3QZGcknXQKizyxGwrFIe2FYitmml02YgShDOLRkHWyWOu091K2F aH12J1znm/R81sfV3EXv+jgoqXygK015HwypaPXOLlH2XMPASfC93gg/v8i218sNNFn/ L+KjVonKycfI7Tvhr7bQg1vXSUCPkddw/MF2anXdxX4+qSwXHTrCaZJ09xb/Q9NB2Iqs DN4g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:dkim-signature; bh=V+BSVtOjuS68/b2v0f7OT648Jg3O+3AV7imEPIWfZyw=; b=L9bJe6GwJ+udCUtd1KmIC/vJN9qaPc+2fg58+hUYBavCWYzsQnUoxh/XpynB8MdXQc 4+TblUiW332FKoxitJboxU4AQIt1IMKShIyPJ/2r85gUV0V6y2BIJaO2fBgPNc7tXRlK 44IsD5Nu1WDdk7HOImOzGJnOt5i0J/Eug+AJuS6xJw61xmldLhncPDwkUHW47O/K/as0 r20u6kwMC5AFNAdH3Z66L1dSXk+rFqgw8Kqi3Z2EV2zr3zneBvN65Wu5E7/OMlwrE62D BBcmATtugRZkOeDRp7JUry3HQEqzOhfheorbc/EbMIzNNR2xCDLSAQO3Lmf2tYR5Yp9H ulQg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@joelfernandes.org header.s=google header.b="EUj614/H"; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id f22si8121546otp.145.2020.01.27.16.28.44; Mon, 27 Jan 2020 16:29:02 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@joelfernandes.org header.s=google header.b="EUj614/H"; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726267AbgA1AZ3 (ORCPT + 99 others); Mon, 27 Jan 2020 19:25:29 -0500 Received: from mail-pl1-f194.google.com ([209.85.214.194]:35847 "EHLO mail-pl1-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726080AbgA1AZ3 (ORCPT ); Mon, 27 Jan 2020 19:25:29 -0500 Received: by mail-pl1-f194.google.com with SMTP id a6so4393116plm.3 for ; Mon, 27 Jan 2020 16:25:28 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=joelfernandes.org; s=google; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to:user-agent; bh=V+BSVtOjuS68/b2v0f7OT648Jg3O+3AV7imEPIWfZyw=; b=EUj614/He5DI6FobTl5392ZqO7A6CzV7kdXT1PuB3EGx3J+GPDqLfqgd7QXlznNm4L y68b4WVm1dxVr+tnmypR/Z01rMwkubTzy9Vx1vFZQafxAHSbcHtK7iIENoEBTbXwULWv mkg8C12/yJRbY/G32Fwa4JEd4z8MXuoel0JtM= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to:user-agent; bh=V+BSVtOjuS68/b2v0f7OT648Jg3O+3AV7imEPIWfZyw=; b=l22EHn/WlywK3KsKKFe7mJ4ixLcWeYBycWLbIvul/N1CLPwNlI6SIvGRqkESChl+D1 FbCWPesXPWN1Or0krk11wbazDad8R7MaKjBCfXnStsRojeEGXSAjGx/HrQOErcw3t4Jb BjeXEaAqNJcGWnn+uHXNFWewlkYxybTg/sSnZbWrlMnoG2RsLToEyIqzkNx6HYPN9WIX vDjhTApJIBjHk9XjhSXVnkJqjQKpNP8UIBeJXkaSPd0RJIF9GkaP52degVxzZ9bqeTej KxeCqzf89b9CB6zeXbZwxPEW3n8ldDV6y6Dbvx5N846a2TD9bCjeSTmPWFn/kFM/cUUV 0M1Q== X-Gm-Message-State: APjAAAUKNo/ijRFGIT+eAIuIGcMOGQ+jwNDkPrOKHoDAyQd0nelHt54O l80CT/Fv914v32nSfUYjsS03vg== X-Received: by 2002:a17:902:7d8c:: with SMTP id a12mr19193277plm.47.1580171128071; Mon, 27 Jan 2020 16:25:28 -0800 (PST) Received: from localhost ([2620:15c:6:12:9c46:e0da:efbf:69cc]) by smtp.gmail.com with ESMTPSA id u20sm17009658pgf.29.2020.01.27.16.25.27 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 27 Jan 2020 16:25:27 -0800 (PST) Date: Mon, 27 Jan 2020 19:25:26 -0500 From: Joel Fernandes To: Todd Kjos Cc: surenb@google.com, gregkh@linuxfoundation.org, arve@android.com, devel@driverdev.osuosl.org, linux-kernel@vger.kernel.org, maco@google.com, kernel-team@android.com, Jann Horn , stable Subject: Re: [PATCH v2] staging: android: ashmem: Disallow ashmem memory from being remapped Message-ID: <20200128002526.GC175575@google.com> References: <20200127235616.48920-1-tkjos@google.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20200127235616.48920-1-tkjos@google.com> User-Agent: Mutt/1.10.1 (2018-07-13) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Jan 27, 2020 at 03:56:16PM -0800, Todd Kjos wrote: > From: Suren Baghdasaryan > > When ashmem file is mmapped, the resulting vma->vm_file points to the > backing shmem file with the generic fops that do not check ashmem > permissions like fops of ashmem do. If an mremap is done on the ashmem > region, then the permission checks will be skipped. Fix that by disallowing > mapping operation on the backing shmem file. Reviewed-by: Joel Fernandes (Google) thanks! - Joel > > Reported-by: Jann Horn > Signed-off-by: Suren Baghdasaryan > Cc: stable # 4.4,4.9,4.14,4.18,5.4 > Signed-off-by: Todd Kjos > --- > drivers/staging/android/ashmem.c | 28 ++++++++++++++++++++++++++++ > 1 file changed, 28 insertions(+) > > v2: update commit message as suggested by joelaf@google.com. > > diff --git a/drivers/staging/android/ashmem.c b/drivers/staging/android/ashmem.c > index 74d497d39c5a..c6695354b123 100644 > --- a/drivers/staging/android/ashmem.c > +++ b/drivers/staging/android/ashmem.c > @@ -351,8 +351,23 @@ static inline vm_flags_t calc_vm_may_flags(unsigned long prot) > _calc_vm_trans(prot, PROT_EXEC, VM_MAYEXEC); > } > > +static int ashmem_vmfile_mmap(struct file *file, struct vm_area_struct *vma) > +{ > + /* do not allow to mmap ashmem backing shmem file directly */ > + return -EPERM; > +} > + > +static unsigned long > +ashmem_vmfile_get_unmapped_area(struct file *file, unsigned long addr, > + unsigned long len, unsigned long pgoff, > + unsigned long flags) > +{ > + return current->mm->get_unmapped_area(file, addr, len, pgoff, flags); > +} > + > static int ashmem_mmap(struct file *file, struct vm_area_struct *vma) > { > + static struct file_operations vmfile_fops; > struct ashmem_area *asma = file->private_data; > int ret = 0; > > @@ -393,6 +408,19 @@ static int ashmem_mmap(struct file *file, struct vm_area_struct *vma) > } > vmfile->f_mode |= FMODE_LSEEK; > asma->file = vmfile; > + /* > + * override mmap operation of the vmfile so that it can't be > + * remapped which would lead to creation of a new vma with no > + * asma permission checks. Have to override get_unmapped_area > + * as well to prevent VM_BUG_ON check for f_ops modification. > + */ > + if (!vmfile_fops.mmap) { > + vmfile_fops = *vmfile->f_op; > + vmfile_fops.mmap = ashmem_vmfile_mmap; > + vmfile_fops.get_unmapped_area = > + ashmem_vmfile_get_unmapped_area; > + } > + vmfile->f_op = &vmfile_fops; > } > get_file(asma->file); > > -- > 2.25.0.341.g760bfbb309-goog >