mmap in tidspbridge is missing range-checks. For now, make this
interface root-only, so that it does not cause security problems.
Signed-off-by: Pavel Machek <pavel@xxxxxx>
Reported-by: Nico Golde <nico@xxxxxxxxx>
Reported-by: Fabian Yamaguchi <fabs@xxxxxxxxx>
---
On Sat 2013-11-30 22:49:35, Dan Carpenter wrote:
> On Sat, Nov 30, 2013 at 08:19:32PM +0100, Pavel Machek wrote:
> > so perhaps Nico Golde or Dan Carpenter can elaborate? I Cc-ed them
> > now.
> >
> > Or is it some kind of super-secret issue and still under embargo for
> > 10 days?
>
> Nope, it's not secret. Here is the original report from Nico and
> Fabian. Please give them credit when you fix the bug.
Thanks!
> Felipe Contreras says we could just remove mmap() support and the driver
> would still work, but no one has submitted a patch to do that. Really
> this driver needs an actual maintainer who will respond to security bugs
> and also start to move the driver out of staging.
There starts to be real traction around Nokia N900, so I believe it is
going to be fixed. (And with Nemo/Mer getting popularity due to Jolla,
it should get even better).
But no, I did not figure out how to run Nemo in qemu, yet...
Pavel
diff --git a/drivers/staging/tidspbridge/rmgr/drv_interface.c b/drivers/staging/tidspbridge/rmgr/drv_interface.c
index 1aa4a3f..8533e67 100644
--- a/drivers/staging/tidspbridge/rmgr/drv_interface.c
+++ b/drivers/staging/tidspbridge/rmgr/drv_interface.c
@@ -258,7 +258,10 @@ err:
/* This function maps kernel space memory to user space memory. */
static int bridge_mmap(struct file *filp, struct vm_area_struct *vma)
{
- u32 status;
+ int status;
+
+ if (!capable(CAP_SYS_RAWIO))
+ return -EPERM;
/* VM_IO | VM_DONTEXPAND | VM_DONTDUMP are set by remap_pfn_range() */
vma->vm_page_prot = pgprot_noncached(vma->vm_page_prot);
@@ -271,10 +274,10 @@ static int bridge_mmap(struct file *filp, struct vm_area_struct *vma)
status = remap_pfn_range(vma, vma->vm_start, vma->vm_pgoff,
vma->vm_end - vma->vm_start,
vma->vm_page_prot);
- if (status != 0)
- status = -EAGAIN;
+ if (status)
+ return -EAGAIN;
- return status;
+ return 0;
}
static const struct file_operations bridge_fops = {
--
(english) http://www.livejournal.com/~pavelmachek
(cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blog.html
--
To unsubscribe from this list: send the line "unsubscribe stable" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html