* [PATCH] staging: android: ashmem: fix a race condition in ASHMEM_SET_SIZE ioctl
@ 2018-01-08 18:43 Greg Hackmann
0 siblings, 0 replies; only message in thread
From: Greg Hackmann @ 2018-01-08 18:43 UTC (permalink / raw)
To: Greg Kroah-Hartman, Arve Hjønnevåg, Todd Kjos,
Martijn Coenen
Cc: devel, linux-kernel, Viktor Slavkovic, stable
From: Viktor Slavkovic <viktors@google.com>
A lock-unlock is missing in ASHMEM_SET_SIZE ioctl which can result in a
race condition when mmap is called. After the !asma->file check, before
setting asma->size, asma->file can be set in mmap. That would result in
having different asma->size than the mapped memory size. Combined with
ASHMEM_UNPIN ioctl and shrinker invocation, this can result in memory
corruption.
Signed-off-by: Viktor Slavkovic <viktors@google.com>
Cc: stable@vger.kernel.org
---
drivers/staging/android/ashmem.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/staging/android/ashmem.c b/drivers/staging/android/ashmem.c
index 0f695df14c9d..372ce9913e6d 100644
--- a/drivers/staging/android/ashmem.c
+++ b/drivers/staging/android/ashmem.c
@@ -765,10 +765,12 @@ static long ashmem_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
break;
case ASHMEM_SET_SIZE:
ret = -EINVAL;
+ mutex_lock(&ashmem_mutex);
if (!asma->file) {
ret = 0;
asma->size = (size_t)arg;
}
+ mutex_unlock(&ashmem_mutex);
break;
case ASHMEM_GET_SIZE:
ret = asma->size;
--
2.16.0.rc0.223.g4a4ac83678-goog
^ permalink raw reply related [flat|nested] only message in thread
only message in thread, other threads:[~2018-01-08 18:44 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2018-01-08 18:43 [PATCH] staging: android: ashmem: fix a race condition in ASHMEM_SET_SIZE ioctl Greg Hackmann
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.