Received: by 2002:a25:c205:0:0:0:0:0 with SMTP id s5csp1184316ybf; Thu, 27 Feb 2020 06:28:43 -0800 (PST) X-Google-Smtp-Source: APXvYqxvTnxF6rbcKcLzqpXfj17tCRxwAxuSMaTr5npJGEPodhrZRSrkC8YAhdZD4hcYVbakkwEP X-Received: by 2002:a05:6830:22ca:: with SMTP id q10mr3823850otc.280.1582813723319; Thu, 27 Feb 2020 06:28:43 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1582813723; cv=none; d=google.com; s=arc-20160816; b=GLMy7CiIwValUPyTWEJjSEZK2o2C2xFYB5jJ6oO69qHmb9+x3pznBavbmVLmxqhQQN /ovkTz1cx8QYfi0zVgbNTVXm2jr8rmk9aQBMn70eMayvWAD/aakhN1fT9JW+72Mz2K8v 0jJlrl7SRX8G932uT6T2t816JbeqILigs6gPFtPcf+CcwgH/oINcBrE0mMbwyxkxyIIy iHm+FCeB/2BVd+4hkinI/P8nufvAIWXgNr40NNJ7rPWA6VsNs2AlQeaM9QhWVZXxIy2h 0FwPJsVqOrRz8+Ovk6cvUpcSi40TjA1TKGpw4/lvwsvUoVlEx2kYQV57tKviV0EgxslM edpw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=zJu6ZoK0Dds+5n7mvozwzw4En9q/D7psfV6TqrEifJE=; b=zJ2zZD2SneJXuiKQsF2CR18FhC3OALHFiEJVNEPPIUXRDyvmMk3urpdMGK0Eermebt t9sxic8/2cf2fwJOX8YYtYVkM4qVZaMtzbqEgLMjWl4D3D4V/KvRVGh3umfi5LTgqni2 EuOGx5B2tW5Wqhy8c6t45jDuyp5KOrjqnF2Ry18A7sa1arnacxFV/1WFdvcAsx8ocPi4 A06ruIPczXsHZKdI5GtGFdTRU4Sa9yGGuE7Z3kh122igDq2EAIcP0HKByB3dUmZcOohm /pmY254BT+px94MektdIZFXul9jbUWDP6nOr7n72tcHViclXVxDN6oPZiIyfndRKicj9 UYRA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=y0i+4XPA; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id a22si1527013otp.84.2020.02.27.06.28.31; Thu, 27 Feb 2020 06:28:43 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=y0i+4XPA; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2387936AbgB0O2U (ORCPT + 99 others); Thu, 27 Feb 2020 09:28:20 -0500 Received: from mail.kernel.org ([198.145.29.99]:45394 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1732992AbgB0OHq (ORCPT ); Thu, 27 Feb 2020 09:07:46 -0500 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id BC83621D7E; Thu, 27 Feb 2020 14:07:45 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1582812466; bh=kRzhdOxsRy44jcxMVeScwz2Dy3J/se8dLhkDqIglJLI=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=y0i+4XPAI4Yt/+AbLsI1GgXR4CyUDbzhov0zd1WsBjK7RZ50mqgu8SwXj6jGkTzTu ArJ/8jKO3wB0lUR/QQ8QWYhRf7vMCdZKTC0ip7NYrhM3Fh8k+vgeXfWvpdbicJ6tf3 DhEsee0XamDuubzXMnPW1llRAy3lcFiYFnRCHEjk= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Jann Horn , Suren Baghdasaryan , Todd Kjos , "Joel Fernandes (Google)" Subject: [PATCH 5.4 021/135] staging: android: ashmem: Disallow ashmem memory from being remapped Date: Thu, 27 Feb 2020 14:36:01 +0100 Message-Id: <20200227132232.442118065@linuxfoundation.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20200227132228.710492098@linuxfoundation.org> References: <20200227132228.710492098@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Suren Baghdasaryan commit 6d67b0290b4b84c477e6a2fc6e005e174d3c7786 upstream. When ashmem file is mmapped, the resulting vma->vm_file points to the backing shmem file with the generic fops that do not check ashmem permissions like fops of ashmem do. If an mremap is done on the ashmem region, then the permission checks will be skipped. Fix that by disallowing mapping operation on the backing shmem file. Reported-by: Jann Horn Signed-off-by: Suren Baghdasaryan Cc: stable # 4.4,4.9,4.14,4.18,5.4 Signed-off-by: Todd Kjos Reviewed-by: Joel Fernandes (Google) Link: https://lore.kernel.org/r/20200127235616.48920-1-tkjos@google.com Signed-off-by: Greg Kroah-Hartman --- drivers/staging/android/ashmem.c | 28 ++++++++++++++++++++++++++++ 1 file changed, 28 insertions(+) --- a/drivers/staging/android/ashmem.c +++ b/drivers/staging/android/ashmem.c @@ -351,8 +351,23 @@ static inline vm_flags_t calc_vm_may_fla _calc_vm_trans(prot, PROT_EXEC, VM_MAYEXEC); } +static int ashmem_vmfile_mmap(struct file *file, struct vm_area_struct *vma) +{ + /* do not allow to mmap ashmem backing shmem file directly */ + return -EPERM; +} + +static unsigned long +ashmem_vmfile_get_unmapped_area(struct file *file, unsigned long addr, + unsigned long len, unsigned long pgoff, + unsigned long flags) +{ + return current->mm->get_unmapped_area(file, addr, len, pgoff, flags); +} + static int ashmem_mmap(struct file *file, struct vm_area_struct *vma) { + static struct file_operations vmfile_fops; struct ashmem_area *asma = file->private_data; int ret = 0; @@ -393,6 +408,19 @@ static int ashmem_mmap(struct file *file } vmfile->f_mode |= FMODE_LSEEK; asma->file = vmfile; + /* + * override mmap operation of the vmfile so that it can't be + * remapped which would lead to creation of a new vma with no + * asma permission checks. Have to override get_unmapped_area + * as well to prevent VM_BUG_ON check for f_ops modification. + */ + if (!vmfile_fops.mmap) { + vmfile_fops = *vmfile->f_op; + vmfile_fops.mmap = ashmem_vmfile_mmap; + vmfile_fops.get_unmapped_area = + ashmem_vmfile_get_unmapped_area; + } + vmfile->f_op = &vmfile_fops; } get_file(asma->file);