Received: by 2002:a25:c205:0:0:0:0:0 with SMTP id s5csp1206503ybf;
        Thu, 27 Feb 2020 06:48:41 -0800 (PST)
X-Google-Smtp-Source: APXvYqxZAwPvRrHZs1kfGY97GSfvXyt4Qg0Z2LwQWWvr6GvCmDraZ45bXxt1jQeXHLC8DWldoixh
X-Received: by 2002:aca:1c01:: with SMTP id c1mr3654160oic.18.1582814921741;
        Thu, 27 Feb 2020 06:48:41 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1582814921; cv=none;
        d=google.com; s=arc-20160816;
        b=XmNuXSLE0j1ncihINbYzyrszItF/BU73M9WeUaS9PV7mwZZOASzaezi2/RS8fJQRsw
         PkyBaMq/okizPGcz5s4VIaBrnynKyRd03yuYPVYeelrTVujgPU3//Nw4l3r9K7t/6iAV
         XS2aOeIR8xktlRkY68rEIyYPu2QQw1Wl6O83swIh2qCIJOL4MsVVYdkHskw5KZQybVpm
         Kxhl9EYA9dKny3Mm2sTcD2tr6ey3Ak8ig7TD7vrFvVIdcWwstaamiKf14TEKZi1vBuWh
         4eRggR+mBt9twbLMKNiYPW/RJiO1vHPZ/tFdGfJ/gxSA18W4nvBm+mh5oG6k4qNW+KVD
         9YMQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:message-id:date:subject:cc:to
         :from:dkim-signature;
        bh=K+0pwsUnNIq2DNqL+PMrDLEFuGSZsj20x9FB8IGvqXI=;
        b=BQC1BO7R/u3b4fsSaS8OHe7lb1FC6UmczVFvymCJ3IcdyNgxvhVALxkpZeV3fsvvDZ
         lwseK5hSe8C8URrZRP7dJb+B41kxYUs/oO4V0lfSQoZQql4usJkF7rxwRA1nUFg81dkp
         A7cHrN5jj0atrB530F67x/FP9feOWxcswqOwAfpBzQHdYQA+FZL/6sHOwAHA698/12Gf
         SyK3fTgU6IrsTeVEma20txK2fZ15Zy8HkoBxY1ooVS1pKfqNkTPCsp/zvgIuNB4/EwAk
         hZFpLARF4RdsOPkssNkOmev7RvPwQfVHE7Swt7WUlEnLE9+jo+2e+8B+q+lYleLFqiNc
         nCzw==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=1jiUjjOt;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id l4si1511949oib.170.2020.02.27.06.48.29;
        Thu, 27 Feb 2020 06:48:41 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=1jiUjjOt;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1730031AbgB0Nns (ORCPT <rfc822;wxiaokuan@gmail.com> + 99 others);
        Thu, 27 Feb 2020 08:43:48 -0500
Received: from mail.kernel.org ([198.145.29.99]:39044 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1729696AbgB0Nno (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 27 Feb 2020 08:43:44 -0500
Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by mail.kernel.org (Postfix) with ESMTPSA id 8D4DE20726;
        Thu, 27 Feb 2020 13:43:43 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
        s=default; t=1582811024;
        bh=D2UNR+MPHKFDoSdnx/q3n2QdWmDMWLZ48WZzdXaaRSo=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=1jiUjjOtXFxFr22DjPCOUPa43s0RHMCzhzxxkhRzh4ciwR1K5qkkKbkVLOMEJZZyW
         ZKJvgDfC+uCxyAXb8OAukY70RZe9xv54iDS8YvHTs+BD2Kw4+Djt0k5guIpEIaphJd
         PqfpTWKM+zX7Vg1TycNejVuLiXF8lNnf2GCknigQ=
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org, Jann Horn <jannh@google.com>,
        Suren Baghdasaryan <surenb@google.com>,
        Todd Kjos <tkjos@google.com>,
        "Joel Fernandes (Google)" <joel@joelfernandes.org>
Subject: [PATCH 4.4 086/113] staging: android: ashmem: Disallow ashmem memory from being remapped
Date:   Thu, 27 Feb 2020 14:36:42 +0100
Message-Id: <20200227132225.514339915@linuxfoundation.org>
X-Mailer: git-send-email 2.25.1
In-Reply-To: <20200227132211.791484803@linuxfoundation.org>
References: <20200227132211.791484803@linuxfoundation.org>
User-Agent: quilt/0.66
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

From: Suren Baghdasaryan <surenb@google.com>

commit 6d67b0290b4b84c477e6a2fc6e005e174d3c7786 upstream.

When ashmem file is mmapped, the resulting vma->vm_file points to the
backing shmem file with the generic fops that do not check ashmem
permissions like fops of ashmem do. If an mremap is done on the ashmem
region, then the permission checks will be skipped. Fix that by disallowing
mapping operation on the backing shmem file.

Reported-by: Jann Horn <jannh@google.com>
Signed-off-by: Suren Baghdasaryan <surenb@google.com>
Cc: stable <stable@vger.kernel.org> # 4.4,4.9,4.14,4.18,5.4
Signed-off-by: Todd Kjos <tkjos@google.com>
Reviewed-by: Joel Fernandes (Google) <joel@joelfernandes.org>
Link: https://lore.kernel.org/r/20200127235616.48920-1-tkjos@google.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/staging/android/ashmem.c |   28 ++++++++++++++++++++++++++++
 1 file changed, 28 insertions(+)

--- a/drivers/staging/android/ashmem.c
+++ b/drivers/staging/android/ashmem.c
@@ -357,8 +357,23 @@ static inline vm_flags_t calc_vm_may_fla
 	       _calc_vm_trans(prot, PROT_EXEC,  VM_MAYEXEC);
 }
 
+static int ashmem_vmfile_mmap(struct file *file, struct vm_area_struct *vma)
+{
+	/* do not allow to mmap ashmem backing shmem file directly */
+	return -EPERM;
+}
+
+static unsigned long
+ashmem_vmfile_get_unmapped_area(struct file *file, unsigned long addr,
+				unsigned long len, unsigned long pgoff,
+				unsigned long flags)
+{
+	return current->mm->get_unmapped_area(file, addr, len, pgoff, flags);
+}
+
 static int ashmem_mmap(struct file *file, struct vm_area_struct *vma)
 {
+	static struct file_operations vmfile_fops;
 	struct ashmem_area *asma = file->private_data;
 	int ret = 0;
 
@@ -399,6 +414,19 @@ static int ashmem_mmap(struct file *file
 		}
 		vmfile->f_mode |= FMODE_LSEEK;
 		asma->file = vmfile;
+		/*
+		 * override mmap operation of the vmfile so that it can't be
+		 * remapped which would lead to creation of a new vma with no
+		 * asma permission checks. Have to override get_unmapped_area
+		 * as well to prevent VM_BUG_ON check for f_ops modification.
+		 */
+		if (!vmfile_fops.mmap) {
+			vmfile_fops = *vmfile->f_op;
+			vmfile_fops.mmap = ashmem_vmfile_mmap;
+			vmfile_fops.get_unmapped_area =
+					ashmem_vmfile_get_unmapped_area;
+		}
+		vmfile->f_op = &vmfile_fops;
 	}
 	get_file(asma->file);