Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit a79f41ed authored by Al Viro's avatar Al Viro
Browse files

binder: don't allow mmap() by process other than proc->tsk 



we really shouldn't do get_files_struct() on a different process
and use it to modify the sucker later on.

Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
parent c921b40d

drivers/staging/android/binder.c

+4 −1
Original line number Diff line number Diff line
@@ -2793,6 +2793,9 @@ static int binder_mmap(struct file *filp, struct vm_area_struct *vma) 
	const char *failure_string;

	struct binder_buffer *buffer;



	if (proc->tsk != current)

		return -EINVAL;



	if ((vma->vm_end - vma->vm_start) > SZ_4M)

		vma->vm_end = vma->vm_start + SZ_4M;
@@ -2857,7 +2860,7 @@ static int binder_mmap(struct file *filp, struct vm_area_struct *vma) 
	binder_insert_free_buffer(proc, buffer);

	proc->free_async_space = proc->buffer_size / 2;

	barrier();

	proc->files = get_files_struct(proc->tsk);

	proc->files = get_files_struct(current);

	proc->vma = vma;

	proc->vma_vm_mm = vma->vm_mm;