From patchwork Tue Jan 19 03:45:36 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Chen Feng X-Patchwork-Id: 59953 Delivered-To: patch@linaro.org Received: by 10.112.130.2 with SMTP id oa2csp2341301lbb; Mon, 18 Jan 2016 19:50:05 -0800 (PST) X-Received: by 10.98.76.149 with SMTP id e21mr41748661pfj.89.1453175405254; Mon, 18 Jan 2016 19:50:05 -0800 (PST) Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id gk10si5544026pac.103.2016.01.18.19.50.04; Mon, 18 Jan 2016 19:50:05 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1756963AbcASDuC (ORCPT + 29 others); Mon, 18 Jan 2016 22:50:02 -0500 Received: from szxga02-in.huawei.com ([119.145.14.65]:56491 "EHLO szxga02-in.huawei.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1755831AbcASDt7 (ORCPT ); Mon, 18 Jan 2016 22:49:59 -0500 Received: from 172.24.1.51 (EHLO szxeml434-hub.china.huawei.com) ([172.24.1.51]) by szxrg02-dlp.huawei.com (MOS 4.3.7-GA FastPath queued) with ESMTP id DAC98850; Tue, 19 Jan 2016 11:46:23 +0800 (CST) Received: from vm163-62.huawei.com (10.184.163.62) by szxeml434-hub.china.huawei.com (10.82.67.225) with Microsoft SMTP Server id 14.3.235.1; Tue, 19 Jan 2016 11:45:38 +0800 From: Chen Feng To: , , , , , , , , , , , , , , , , , , , , , , , , CC: , , , , Subject: [PATCH RESEND] android: binder: Sanity check at binder ioctl Date: Tue, 19 Jan 2016 11:45:36 +0800 Message-ID: <1453175136-3351-1-git-send-email-puck.chen@hisilicon.com> X-Mailer: git-send-email 1.9.1 MIME-Version: 1.0 X-Originating-IP: [10.184.163.62] X-CFilter-Loop: Reflected X-Mirapoint-Virus-RAPID-Raw: score=unknown(0), refid=str=0001.0A020202.569DB191.00B7, ss=1, re=0.000, recu=0.000, reip=0.000, cl=1, cld=1, fgs=0, ip=0.0.0.0, so=2013-06-18 04:22:30, dmn=2013-03-21 17:37:32 X-Mirapoint-Loop-Id: 7bf1f44f5cc829d1b329c13761b35fa6 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org When a process fork a child process, we should not allow the child process use the binder which opened by parent process. But if the binder-object creater is a thread of one process who exit, the other thread can also use this binder-object normally. We can distinguish this by the member proc->tsk->mm. If the thread exit the tsk->mm will be NULL. proc->tsk->mm != current->mm && proc->tsk->mm So only allow the shared mm_struct to use the same binder-object and check the existence of mm_struct. Signed-off-by: Chen Feng Signed-off-by: Wei Dong Signed-off-by: Junmin Zhao Reviewed-by: Zhuangluan Su --- drivers/android/binder.c | 2 ++ 1 file changed, 2 insertions(+) -- 1.9.1 diff --git a/drivers/android/binder.c b/drivers/android/binder.c index a39e85f..279063c 100644 --- a/drivers/android/binder.c +++ b/drivers/android/binder.c @@ -2736,6 +2736,8 @@ static long binder_ioctl(struct file *filp, unsigned int cmd, unsigned long arg) /*pr_info("binder_ioctl: %d:%d %x %lx\n", proc->pid, current->pid, cmd, arg);*/ + if (unlikely(proc->tsk->mm != current->mm && proc->tsk->mm)) + return -EINVAL; trace_binder_ioctl(cmd, arg);