ashmem_mmap failure in subtle cases

Bug #869374 reported by Mike Hommey
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Linaro Android
Confirmed
High
Unassigned

Bug Description

Some context: I have been seeing crashes in Android apps when running them under gdbserver (nvidia's) or valgrind (custom build), but not when running natively or under strace. It so happens that dalvik is getting ashmem fds through the binder, and maps them. But in a specific case, that mmap fails. What happens is the following:
- some process creates an ashmem region, and sets its protection mask to PROT_READ. that process doesn't have personality READ_IMPLIES_EXEC.
- another process gets that ashmem fd through the binder. This process has personality READ_IMPLIES_EXEC.
- when calling mmap on the fd with PROT_READ, as personality has READ_IMPLIES_EXEC, the kernel calls ashmem_mmap with PROT_READ | PROT_EXEC, which fails the protection check in ashmem_map, since the ashmem region is PROT_READ and not PROT_READ | PROT_EXEC.

(The reason the other process has personality READ_IMPLIES_EXEC is because the executable has executable stack, which, unfortunately, is what you get by default with the android NDK)

Revision history for this message
Mike Hommey (mh-glandium) wrote :

The following program highlights the problem:

#include <sys/mman.h>
#include <sys/ioctl.h>
#include <fcntl.h>
#include <linux/ashmem.h>
#include <unistd.h>
#include <sys/syscall.h>

void set_personality(unsigned int p) {
  syscall(__NR_personality, p);
}

int main() {
  int fd = open("/dev/ashmem", O_RDWR);
  set_personality(0);
  ioctl(fd, ASHMEM_SET_SIZE, 4096);
  ioctl(fd, ASHMEM_SET_PROT_MASK, PROT_READ);
  set_personality(0x0400000 /* READ_IMPLIES_EXEC */);
  if (mmap(NULL, 4096, PROT_READ, MAP_SHARED, fd, 0) == MAP_FAILED)
    return 1;
  return 0;
}

Loïc Minier (lool)
tags: added: linaro-mozilla
Fathi Boudra (fboudra)
Changed in linaro-android:
status: New → Confirmed
vishal (vishalbhoj)
Changed in linaro-android:
importance: Undecided → High
milestone: none → 13.06
assignee: nobody → HariGopal (harigopal-gollamudi)
Changed in linaro-android:
status: Confirmed → In Progress
Fathi Boudra (fboudra)
Changed in linaro-android:
milestone: 13.06 → 13.07
Fathi Boudra (fboudra)
Changed in linaro-android:
milestone: 13.07 → 13.09
Fathi Boudra (fboudra)
Changed in linaro-android:
milestone: 13.09 → 13.10
Revision history for this message
vishal (vishalbhoj) wrote :

Removing the milestone since no one is working on the bug.

Changed in linaro-android:
status: In Progress → Confirmed
milestone: 13.10 → none
assignee: HariGopal (harigopal-gollamudi) → nobody
Revision history for this message
Botao (botao-sun) wrote :

Based on comment #2, please mark it as "Won't Fix".

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.