Google Git
Sign in
android / kernel / msm.git / 34ccd72d633c283e4bc782f4806717341e6239b3
commit34ccd72d633c283e4bc782f4806717341e6239b3[log] [tgz]
authorEdgar Arriaga <edgararriaga@google.com>Mon Dec 14 18:26:17 2020 -0800
committerEdgar Arriaga <edgararriaga@google.com>Wed Feb 03 11:43:08 2021 -0800
treeade30c60d2e65da297fe7c332be2808f887919fc
parente42a6537fad764310f9bb4b9bc0ab64ae055c9df [diff]
UPSTREAM: mm/madvise: remove racy mm ownership check

Jann spotted the security hole due to race of mm ownership check.

If the task is sharing the mm_struct but goes through execve() before
mm_access(), it could skip process_madvise_behavior_valid check.  That
makes *any advice hint* to reach into the remote process.

This patch removes the mm ownership check.  With it, it will lose the
ability that local process could give *any* advice hint with vector
interface for some reason (e.g., performance).  Since there is no
concrete example in upstream yet, it would be better to remove the
abiliity at this moment and need to review when such new advice comes
up.

Fixes: ecb8ac8b1f14 ("mm/madvise: introduce process_madvise() syscall: an external memory hinting API")
Reported-by: Jann Horn <jannh@google.com>
Suggested-by: Jann Horn <jannh@google.com>
Signed-off-by: Minchan Kim <minchan@kernel.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

(cherry picked from commit a68a0262abdaa251e12c53715f48e698a18ef402)

Bug: 153444106
Test: Built and flashed kernel

Signed-off-by: Edgar Arriaga Garcia <edgararriaga@google.com>
Change-Id: I49b1a581d1d6b651b46e0e7024cf61bce29578ba
1 file changed
tree: ade30c60d2e65da297fe7c332be2808f887919fc
  1. arch/
  2. block/
  3. certs/
  4. crypto/
  5. Documentation/
  6. drivers/
  7. firmware/
  8. fs/
  9. include/
  10. init/
  11. ipc/
  12. kernel/
  13. lib/
  14. mm/
  15. net/
  16. samples/
  17. scripts/
  18. security/
  19. sound/
  20. techpack/
  21. test/
  22. tools/
  23. usr/
  24. virt/
  25. .clang-format
  26. .cocciconfig
  27. .get_maintainer.ignore
  28. .gitattributes
  29. .gitignore
  30. .mailmap
  31. Androidbp
  32. AndroidKernel.mk
  33. build.config
  34. build.config.aarch64
  35. build.config.boundsan
  36. build.config.common
  37. build.config.common.clang
  38. build.config.cuttlefish.aarch64
  39. build.config.cuttlefish.x86_64
  40. build.config.debug_api
  41. build.config.debug_hang
  42. build.config.debug_locking
  43. build.config.debug_memory
  44. build.config.floral
  45. build.config.floral.common
  46. build.config.floral.common.clang
  47. build.config.floral_debug_api
  48. build.config.floral_debug_hang
  49. build.config.floral_debug_locking
  50. build.config.floral_debug_memory
  51. build.config.floral_debug_memory_accounting
  52. build.config.floral_kasan
  53. build.config.floral_khwasan
  54. build.config.floral_no-cfi
  55. build.config.floral_performance
  56. build.config.gcc
  57. build.config.goldfish.arm
  58. build.config.goldfish.arm64
  59. build.config.goldfish.mips
  60. build.config.goldfish.mips64
  61. build.config.goldfish.x86
  62. build.config.goldfish.x86_64
  63. build.config.kasan
  64. build.config.khwasan
  65. build.config.no-cfi
  66. build.config.performance
  67. build.config.sunfish
  68. build.config.sunfish.common
  69. build.config.sunfish.common.clang
  70. build.config.sunfish_debug_api
  71. build.config.sunfish_debug_hang
  72. build.config.sunfish_debug_locking
  73. build.config.sunfish_debug_memory
  74. build.config.sunfish_debug_memory_accounting
  75. build.config.sunfish_kasan
  76. build.config.sunfish_khwasan
  77. build.config.sunfish_no-cfi
  78. build.config.sunfish_performance
  79. build_floral.sh
  80. build_sunfish.sh
  81. COPYING
  82. CREDITS
  83. gen_headers_arm.bp
  84. gen_headers_arm64.bp
  85. Kbuild
  86. Kconfig
  87. kernel_headers.py
  88. MAINTAINERS
  89. Makefile
  90. OWNERS
  91. PREUPLOAD.cfg
  92. README
  93. verity_dev_keys.x509