Re: [PATCH 1/2] rust_binder: check ownership before using vma

[Jann Horn]

On Tue, Feb 17, 2026 at 9:15 PM Alice Ryhl <aliceryhl@xxxxxxxxxx> wrote:
> On Tue, Feb 17, 2026 at 5:55 PM Jann Horn <jannh@xxxxxxxxxx> wrote:
> > On Tue, Feb 17, 2026 at 3:22 PM Alice Ryhl <aliceryhl@xxxxxxxxxx> wrote:
> > > When installing missing pages (or zapping them), Rust Binder will look
> > > up the vma in the mm by address, and then call vm_insert_page (or
> > > zap_page_range_single). However, if the vma is closed and replaced with
> > > a different vma at the same address, this can lead to Rust Binder
> > > installing pages into the wrong vma.
> > >
> > > By installing the page into a writable vma, it becomes possible to write
> > > to your own binder pages, which are normally read-only. Although you're
> > > not supposed to be able to write to those pages, the intent behind the
> > > design of Rust Binder is that even if you get that ability, it should not
> > > lead to anything bad. Unfortunately, due to another bug, that is not the
> > > case.
> > >
> > > To fix this, I will store a pointer in vm_private_data and check that
> > > the vma returned by vma_lookup() has the right vm_ops and
> > > vm_private_data before trying to use the vma. This should ensure that
> > > Rust Binder will refuse to interact with any other VMA. I will follow up
> > > this patch with more vma abstractions to avoid this unsafe access to
> > > vm_ops and vm_private_data, but for now I'd like to start with the
> > > simplest possible fix.
> >
> > This sounds good to me.
> > (Userspace could still trick Rust Binder into accessing the VMA at the
> > wrong offset, but nothing will go wrong in that case.)
>
> Vma is tricky stuff.

Well, they try to give userspace a lot of flexibility, and then things
like the rmap are supposed to abstract away this complexity so that
normal drivers don't have to deal with this complexity...

> I think if I add the vm_ops->close callback this one isn't possible anymore?

Yeah. (Or you could explicitly check that vma_pgoff_offset(vma,
virtual_address) returns the expected index. But either way, from a
security perspective it shouldn't really matter.)