binder: Prevent repeated use of ->mmap() via NULL mapping
mainline inclusion from mainline-v5.5-rc1 commit a7a74d7f category: bugfix bugzilla: 188431, https://gitee.com/src-openeuler/kernel/issues/I6DKVG CVE: CVE-2023-20938 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=a7a74d7ff55a0c657bc46238b050460b9eacea95 -------------------------------- binder_alloc_mmap_handler() attempts to detect the use of ->mmap() on a binder_proc whose binder_alloc has already been initialized by checking whether alloc->buffer is non-zero. Before commit 88021166 ("binder: remove kernel vm_area for buffer space"), alloc->buffer was a kernel mapping address, which is always non-zero, but since that commit, it is a userspace mapping address. A sufficiently privileged user can map /dev/binder at NULL, tricking binder_alloc_mmap_handler() into assuming that the binder_proc has not been mapped yet. This leads to memory unsafety. Luckily, no context on Android has such privileges, and on a typical Linux desktop system, you need to be root to do that. Fix it by using the mapping size instead of the mapping address to distinguish the mapped case. A valid VMA can't have size zero. Fixes: 88021166 ("binder: remove kernel vm_area for buffer space") Cc: stable@vger.kernel.org Signed-off-by:Jann Horn <jannh@google.com> Acked-by:
Loading
Please sign in to comment