leandrof/linux
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
a7a74d7ff5
linux/drivers/android
History
Jann Horn a7a74d7ff5 binder: Prevent repeated use of ->mmap() via NULL mapping 
binder_alloc_mmap_handler() attempts to detect the use of ->mmap() on a
binder_proc whose binder_alloc has already been initialized by checking
whether alloc->buffer is non-zero.

Before commit 880211667b ("binder: remove kernel vm_area for buffer
space"), alloc->buffer was a kernel mapping address, which is always
non-zero, but since that commit, it is a userspace mapping address.

A sufficiently privileged user can map /dev/binder at NULL, tricking
binder_alloc_mmap_handler() into assuming that the binder_proc has not been
mapped yet. This leads to memory unsafety.
Luckily, no context on Android has such privileges, and on a typical Linux
desktop system, you need to be root to do that.

Fix it by using the mapping size instead of the mapping address to
distinguish the mapped case. A valid VMA can't have size zero.

Fixes: 880211667b ("binder: remove kernel vm_area for buffer space")
Cc: stable@vger.kernel.org
Signed-off-by: Jann Horn <jannh@google.com>
Acked-by: Christian Brauner <christian.brauner@ubuntu.com>
Link: https://lore.kernel.org/r/20191018205631.248274-2-jannh@google.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2019-11-14 11:44:47 +08:00
..
binder_alloc_selftest.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 282 2019-06-05 17:36:37 +02:00
binder_alloc.c binder: Prevent repeated use of ->mmap() via NULL mapping 2019-11-14 11:44:47 +08:00
binder_alloc.h binder: return errors from buffer copy functions 2019-07-01 08:42:47 +02:00
binder_internal.h binder: prevent UAF read in print_binder_transaction_log_entry() 2019-10-10 14:39:22 +02:00
binder_trace.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 282 2019-06-05 17:36:37 +02:00
binder.c Merge 5.4-rc5 into char-misc-next 2019-10-27 18:48:33 +01:00
binderfs.c binder: Add binder_proc logging to binderfs 2019-09-04 13:31:26 +02:00
Kconfig binder: add functions to copy to/from binder buffers 2019-02-12 10:43:57 +01:00
Makefile treewide: Add SPDX license identifier - Makefile/Kconfig 2019-05-21 10:50:46 +02:00