From patchwork Tue Jan 19 09:04:01 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Chen Feng X-Patchwork-Id: 59962 Delivered-To: patch@linaro.org Received: by 10.112.130.2 with SMTP id oa2csp2448427lbb; Tue, 19 Jan 2016 01:06:51 -0800 (PST) X-Received: by 10.66.182.202 with SMTP id eg10mr43091476pac.50.1453194411767; Tue, 19 Jan 2016 01:06:51 -0800 (PST) Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id yv4si8816380pab.119.2016.01.19.01.06.51; Tue, 19 Jan 2016 01:06:51 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S932663AbcASJGu (ORCPT + 29 others); Tue, 19 Jan 2016 04:06:50 -0500 Received: from szxga03-in.huawei.com ([119.145.14.66]:39191 "EHLO szxga03-in.huawei.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1757696AbcASJGp (ORCPT ); Tue, 19 Jan 2016 04:06:45 -0500 Received: from 172.24.1.51 (EHLO SZXEML424-HUB.china.huawei.com) ([172.24.1.51]) by szxrg03-dlp.huawei.com (MOS 4.4.3-GA FastPath queued) with ESMTP id BUW02439; Tue, 19 Jan 2016 17:04:20 +0800 (CST) Received: from vm163-62.huawei.com (10.184.163.62) by SZXEML424-HUB.china.huawei.com (10.82.67.153) with Microsoft SMTP Server id 14.3.235.1; Tue, 19 Jan 2016 17:04:03 +0800 From: Chen Feng To: , , , , , , , , , , , , , , , , , , , , , , , , CC: , , , , Subject: [PATCH v2] android: binder: Sanity check at binder ioctl Date: Tue, 19 Jan 2016 17:04:01 +0800 Message-ID: <1453194241-55201-1-git-send-email-puck.chen@hisilicon.com> X-Mailer: git-send-email 1.9.1 MIME-Version: 1.0 X-Originating-IP: [10.184.163.62] X-CFilter-Loop: Reflected X-Mirapoint-Virus-RAPID-Raw: score=unknown(0), refid=str=0001.0A020205.569DFC14.0118, ss=1, re=0.000, recu=0.000, reip=0.000, cl=1, cld=1, fgs=0, ip=0.0.0.0, so=2013-05-26 15:14:31, dmn=2013-03-21 17:37:32 X-Mirapoint-Loop-Id: 4336361f906731a7b191ce86d35f857a Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org When a process fork a child process, we should not allow the child process use the binder which opened by parent process. But if the binder-object creater is a thread of one process who exit, the other thread can also use this binder-object normally. We can distinguish this by the member proc->tsk->mm. If the thread exit the tsk->mm will be NULL. proc->tsk->mm != current->mm && proc->tsk->mm So only allow the shared mm_struct to use the same binder-object and check the existence of mm_struct. V2: Fix compile error for error commit Signed-off-by: Chen Feng Signed-off-by: Wei Dong Signed-off-by: Junmin Zhao Reviewed-by: Zhuangluan Su --- drivers/android/binder.c | 2 ++ 1 file changed, 2 insertions(+) -- 1.9.1 diff --git a/drivers/android/binder.c b/drivers/android/binder.c index a39e85f..279063c 100644 --- a/drivers/android/binder.c +++ b/drivers/android/binder.c @@ -2736,6 +2736,8 @@ static long binder_ioctl(struct file *filp, unsigned int cmd, unsigned long arg) /*pr_info("binder_ioctl: %d:%d %x %lx\n", proc->pid, current->pid, cmd, arg);*/ + if (unlikely(proc->tsk->mm != current->mm && proc->tsk->mm)) + return -EINVAL; trace_binder_ioctl(cmd, arg);