[RAMEN9610-21029]staGing: android: ashmem: Disallow ashmem memory from being remapped

When ashmem file is being mmapped the resulting vma->vm_file points to the
backing shmem file with the generic fops that do not check ashmem
permissions like fops of ashmem do. Fix that by disallowing mapping
operation for backing shmem file.

Bug: 142903466
Change-Id: Ic24b44d3fc5b1cb7f2704f251d700ce3667bd2ee
Reported-by: Jann Horn <jannh@google.com>
Signed-off-by: Suren Baghdasaryan <surenb@google.com>
(cherry picked from commit 8ff865f4744004deadce3ad60193f530b4c7d1b9)

diff --git a/drivers/staging/android/ashmem.c b/drivers/staging/android/ashmem.c
index 555b5a86ccc8379e9e139e0e0c7ad9a848db793a..7b1c3843176a3ff99e783c9f774eefad3d9b08ac 100644 (file)
--- a/drivers/staging/android/ashmem.c
+++ b/drivers/staging/android/ashmem.c
@@ -361,8 +361,23 @@ static inline vm_flags_t calc_vm_may_flags(unsigned long prot)
               _calc_vm_trans(prot, PROT_EXEC,  VM_MAYEXEC);
 }
 
+static int ashmem_vmfile_mmap(struct file *file, struct vm_area_struct *vma)
+{
+       /* do not allow to mmap ashmem backing shmem file directly */
+       return -EPERM;
+}
+
+static unsigned long
+ashmem_vmfile_get_unmapped_area(struct file *file, unsigned long addr,
+                               unsigned long len, unsigned long pgoff,
+                               unsigned long flags)
+{
+       return current->mm->get_unmapped_area(file, addr, len, pgoff, flags);
+}
+
 static int ashmem_mmap(struct file *file, struct vm_area_struct *vma)
 {
+       static struct file_operations vmfile_fops;
        struct ashmem_area *asma = file->private_data;
        int ret = 0;
 
@@ -403,6 +418,19 @@ static int ashmem_mmap(struct file *file, struct vm_area_struct *vma)
                }
                vmfile->f_mode |= FMODE_LSEEK;
                asma->file = vmfile;
+               /*
+                * override mmap operation of the vmfile so that it can't be
+                * remapped which would lead to creation of a new vma with no
+                * asma permission checks. Have to override get_unmapped_area
+                * as well to prevent VM_BUG_ON check for f_ops modification.
+                */
+               if (!vmfile_fops.mmap) {
+                       vmfile_fops = *vmfile->f_op;
+                       vmfile_fops.mmap = ashmem_vmfile_mmap;
+                       vmfile_fops.get_unmapped_area =
+                                       ashmem_vmfile_get_unmapped_area;
+               }
+               vmfile->f_op = &vmfile_fops;
        }
        get_file(asma->file);