diff options
| author | Jann Horn <[email protected]> | 2019-10-18 22:56:30 +0200 |
|---|---|---|
| committer | Greg Kroah-Hartman <[email protected]> | 2019-11-14 11:44:47 +0800 |
| commit | a7a74d7ff55a0c657bc46238b050460b9eacea95 (patch) | |
| tree | 37be4c7f15bfa4535a2aa0a3a1a28ee58d10627f /scripts/gdb/linux/symbols.py | |
| parent | 8eb52a1ee37aafd9b796713aa0b3ab9cbc455be3 (diff) | |
binder: Prevent repeated use of ->mmap() via NULL mapping
binder_alloc_mmap_handler() attempts to detect the use of ->mmap() on a
binder_proc whose binder_alloc has already been initialized by checking
whether alloc->buffer is non-zero.
Before commit 880211667b20 ("binder: remove kernel vm_area for buffer
space"), alloc->buffer was a kernel mapping address, which is always
non-zero, but since that commit, it is a userspace mapping address.
A sufficiently privileged user can map /dev/binder at NULL, tricking
binder_alloc_mmap_handler() into assuming that the binder_proc has not been
mapped yet. This leads to memory unsafety.
Luckily, no context on Android has such privileges, and on a typical Linux
desktop system, you need to be root to do that.
Fix it by using the mapping size instead of the mapping address to
distinguish the mapped case. A valid VMA can't have size zero.
Fixes: 880211667b20 ("binder: remove kernel vm_area for buffer space")
Cc: [email protected]
Signed-off-by: Jann Horn <[email protected]>
Acked-by: Christian Brauner <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Greg Kroah-Hartman <[email protected]>
Diffstat (limited to 'scripts/gdb/linux/symbols.py')
0 files changed, 0 insertions, 0 deletions