Staging: android: binder: Fix use-after-free bug

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

binder_update_page_range could read freed memory if the vma of the
selected process was freed right before the check that the vma
belongs to the mm struct it just locked.

If the vm_mm pointer in that freed vma struct had also been rewritten
with a value that matched the locked mm struct, then the code would
proceed and possibly modify the freed vma.

Signed-off-by: Arve Hjønnevåg <arve@android.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

authored by

Arve Hjønnevåg and committed by

Greg Kroah-Hartman 14 years ago 2a90957f 06caa417

+4 -1

1 changed file

expand all

drivers

staging

android

binder.c

+4 -1

drivers/staging/android/binder.c

··· 288 288 struct rb_root refs_by_node; 289 289 int pid; 290 290 struct vm_area_struct *vma; 291 + struct mm_struct *vma_vm_mm; 291 292 struct task_struct *tsk; 292 293 struct files_struct *files; 293 294 struct hlist_node deferred_work_node; ··· 634 633 if (mm) { 635 634 down_write(&mm->mmap_sem); 636 635 vma = proc->vma; 637 - if (vma && mm != vma->vm_mm) { 636 + if (vma && mm != proc->vma_vm_mm) { 638 637 pr_err("binder: %d: vma mm and task mm mismatch\n", 639 638 proc->pid); 640 639 vma = NULL; ··· 2777 2776 (vma->vm_end - vma->vm_start) / SZ_1K, vma->vm_flags, 2778 2777 (unsigned long)pgprot_val(vma->vm_page_prot)); 2779 2778 proc->vma = NULL; 2779 + proc->vma_vm_mm = NULL; 2780 2780 binder_defer_work(proc, BINDER_DEFERRED_PUT_FILES); 2781 2781 } 2782 2782 ··· 2860 2858 barrier(); 2861 2859 proc->files = get_files_struct(proc->tsk); 2862 2860 proc->vma = vma; 2861 + proc->vma_vm_mm = vma->vm_mm; 2863 2862 2864 2863 /*printk(KERN_INFO "binder_mmap: %d %lx-%lx maps %p\n", 2865 2864 proc->pid, vma->vm_start, vma->vm_end, proc->buffer);*/