Commit a79f41ed authored by Al Viro's avatar Al Viro

binder: don't allow mmap() by process other than proc->tsk

we really shouldn't do get_files_struct() on a different process
and use it to modify the sucker later on.
Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
parent c921b40d
...@@ -2793,6 +2793,9 @@ static int binder_mmap(struct file *filp, struct vm_area_struct *vma) ...@@ -2793,6 +2793,9 @@ static int binder_mmap(struct file *filp, struct vm_area_struct *vma)
const char *failure_string; const char *failure_string;
struct binder_buffer *buffer; struct binder_buffer *buffer;
if (proc->tsk != current)
return -EINVAL;
if ((vma->vm_end - vma->vm_start) > SZ_4M) if ((vma->vm_end - vma->vm_start) > SZ_4M)
vma->vm_end = vma->vm_start + SZ_4M; vma->vm_end = vma->vm_start + SZ_4M;
...@@ -2857,7 +2860,7 @@ static int binder_mmap(struct file *filp, struct vm_area_struct *vma) ...@@ -2857,7 +2860,7 @@ static int binder_mmap(struct file *filp, struct vm_area_struct *vma)
binder_insert_free_buffer(proc, buffer); binder_insert_free_buffer(proc, buffer);
proc->free_async_space = proc->buffer_size / 2; proc->free_async_space = proc->buffer_size / 2;
barrier(); barrier();
proc->files = get_files_struct(proc->tsk); proc->files = get_files_struct(current);
proc->vma = vma; proc->vma = vma;
proc->vma_vm_mm = vma->vm_mm; proc->vma_vm_mm = vma->vm_mm;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment