From patchwork Mon Feb 1 06:04:02 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Chen Feng X-Patchwork-Id: 60865 Delivered-To: patch@linaro.org Received: by 10.112.130.2 with SMTP id oa2csp2808621lbb; Sun, 31 Jan 2016 22:04:26 -0800 (PST) X-Received: by 10.67.22.97 with SMTP id hr1mr35612856pad.49.1454306666617; Sun, 31 Jan 2016 22:04:26 -0800 (PST) Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id xb2si22083054pab.232.2016.01.31.22.04.26; Sun, 31 Jan 2016 22:04:26 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752615AbcBAGEY (ORCPT + 30 others); Mon, 1 Feb 2016 01:04:24 -0500 Received: from szxga02-in.huawei.com ([119.145.14.65]:16898 "EHLO szxga02-in.huawei.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752398AbcBAGEV (ORCPT ); Mon, 1 Feb 2016 01:04:21 -0500 Received: from 172.24.1.48 (EHLO szxeml427-hub.china.huawei.com) ([172.24.1.48]) by szxrg02-dlp.huawei.com (MOS 4.3.7-GA FastPath queued) with ESMTP id DAT18565; Mon, 01 Feb 2016 14:04:12 +0800 (CST) Received: from vm163-62.huawei.com (10.184.163.62) by szxeml427-hub.china.huawei.com (10.82.67.182) with Microsoft SMTP Server id 14.3.235.1; Mon, 1 Feb 2016 14:04:02 +0800 From: Chen Feng To: , , , , , , , , CC: , , , Subject: [PATCH v3] android: binder: Sanity check at binder ioctl Date: Mon, 1 Feb 2016 14:04:02 +0800 Message-ID: <1454306642-73580-1-git-send-email-puck.chen@hisilicon.com> X-Mailer: git-send-email 1.9.1 MIME-Version: 1.0 X-Originating-IP: [10.184.163.62] X-CFilter-Loop: Reflected X-Mirapoint-Virus-RAPID-Raw: score=unknown(0), refid=str=0001.0A0B0206.56AEF55F.0157, ss=1, re=0.000, recu=0.000, reip=0.000, cl=1, cld=1, fgs=0, ip=0.0.0.0, so=2013-06-18 04:22:30, dmn=2013-03-21 17:37:32 X-Mirapoint-Loop-Id: 37c04a99bc19649a2d533c5fd2031c1c Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Sanity check at binder ioctl function, Only allow the shared mm_struct to use the same binder-object to do binder operate. And add proc->vma_vm_mm = current->mm at the open function. The libbinder do ioctl before mmap called. V2: Fix compile error for error commit V3: Change the condition to proc->vma_vm_mm Signed-off-by: Chen Feng Signed-off-by: Wei Dong Signed-off-by: Junmin Zhao Reviewed-by: Zhuangluan Su --- drivers/android/binder.c | 5 +++++ 1 file changed, 5 insertions(+) -- 1.9.1 diff --git a/drivers/android/binder.c b/drivers/android/binder.c index a39e85f..f080a8b 100644 --- a/drivers/android/binder.c +++ b/drivers/android/binder.c @@ -2737,6 +2737,10 @@ static long binder_ioctl(struct file *filp, unsigned int cmd, unsigned long arg) /*pr_info("binder_ioctl: %d:%d %x %lx\n", proc->pid, current->pid, cmd, arg);*/ + if (unlikely(current->mm != proc->vma_vm_mm)) { + pr_err("current mm mismatch proc mm\n"); + return -EINVAL; + } trace_binder_ioctl(cmd, arg); ret = wait_event_interruptible(binder_user_error_wait, binder_stop_on_user_error < 2); @@ -2951,6 +2955,7 @@ static int binder_open(struct inode *nodp, struct file *filp) return -ENOMEM; get_task_struct(current); proc->tsk = current; + proc->vma_vm_mm = current->mm; INIT_LIST_HEAD(&proc->todo); init_waitqueue_head(&proc->wait); proc->default_priority = task_nice(current);