From patchwork Tue Jan 19 03:22:42 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Chen Feng X-Patchwork-Id: 59952 Delivered-To: patch@linaro.org Received: by 10.112.130.2 with SMTP id oa2csp2333891lbb; Mon, 18 Jan 2016 19:23:41 -0800 (PST) X-Received: by 10.67.15.73 with SMTP id fm9mr41766931pad.130.1453173821148; Mon, 18 Jan 2016 19:23:41 -0800 (PST) Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id a90si44149235pfj.20.2016.01.18.19.23.40; Mon, 18 Jan 2016 19:23:41 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1757214AbcASDXc (ORCPT + 29 others); Mon, 18 Jan 2016 22:23:32 -0500 Received: from szxga02-in.huawei.com ([119.145.14.65]:37833 "EHLO szxga02-in.huawei.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1757168AbcASDXX (ORCPT ); Mon, 18 Jan 2016 22:23:23 -0500 Received: from 172.24.1.48 (EHLO SZXEML429-HUB.china.huawei.com) ([172.24.1.48]) by szxrg02-dlp.huawei.com (MOS 4.3.7-GA FastPath queued) with ESMTP id DAC96095; Tue, 19 Jan 2016 11:22:55 +0800 (CST) Received: from vm163-62.huawei.com (10.184.163.62) by SZXEML429-HUB.china.huawei.com (10.82.67.184) with Microsoft SMTP Server id 14.3.235.1; Tue, 19 Jan 2016 11:22:44 +0800 From: Chen Feng To: , , , , , , , , , , , , , , , , , , , , , , , , CC: , , , , Subject: [PATCH] android: binder: Sanity check at binder ioctl Date: Tue, 19 Jan 2016 11:22:42 +0800 Message-ID: <1453173762-130234-1-git-send-email-puck.chen@hisilicon.com> X-Mailer: git-send-email 1.9.1 MIME-Version: 1.0 X-Originating-IP: [10.184.163.62] X-CFilter-Loop: Reflected X-Mirapoint-Virus-RAPID-Raw: score=unknown(0), refid=str=0001.0A020203.569DAC12.0104, ss=1, re=0.000, recu=0.000, reip=0.000, cl=1, cld=1, fgs=0, ip=0.0.0.0, so=2013-06-18 04:22:30, dmn=2013-03-21 17:37:32 X-Mirapoint-Loop-Id: a07253a7ec41ec987a31c3a0559d55ef Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org When a process fork a child process, we should not allow the child process use the binder which opened by parent process. But if the binder-object creater is a thread of one process who exit, the other thread can also use this binder-object normally. We can distinguish this by the member proc->tsk->mm. If the thread exit the tsk->mm will be NULL. proc->tsk->mm != current->tsk->mm && proc->tsk->mm So only allow the shared mm_struct to use the same binder-object and check the existence of mm_struct. Signed-off-by: Chen Feng Signed-off-by: Wei Dong Signed-off-by: Junmin Zhao Reviewed-by: Zhuangluan Su --- drivers/android/binder.c | 2 ++ 1 file changed, 2 insertions(+) -- 1.9.1 diff --git a/drivers/android/binder.c b/drivers/android/binder.c index a39e85f..3a74c5d 100644 --- a/drivers/android/binder.c +++ b/drivers/android/binder.c @@ -2736,6 +2736,8 @@ static long binder_ioctl(struct file *filp, unsigned int cmd, unsigned long arg) /*pr_info("binder_ioctl: %d:%d %x %lx\n", proc->pid, current->pid, cmd, arg);*/ + if (unlikely(proc->tsk->mm != current->tsk->mm && proc->tsk->mm)) + return -EINVAL; trace_binder_ioctl(cmd, arg);