mirrors/linux-stable
1
0
Fork 0
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git synced 2024-10-02 23:27:06 +00:00
Code Issues Releases Wiki Activity

binder: fix proc->files use-after-free

Browse source 
commit 7f3dc0088b upstream.

proc->files cleanup is initiated by binder_vma_close. Therefore
a reference on the binder_proc is not enough to prevent the
files_struct from being released while the binder_proc still has
a reference. This can lead to an attempt to dereference the
stale pointer obtained from proc->files prior to proc->files
cleanup. This has been seen once in task_get_unused_fd_flags()
when __alloc_fd() is called with a stale "files".

The fix is to protect proc->files with a mutex to prevent cleanup
while in use.

Signed-off-by: Todd Kjos <tkjos@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
This commit is contained in:
Todd Kjos 2017-11-27 09:32:33 -08:00 committed by Greg Kroah-Hartman
parent 412091e27d
commit c0d75dacff
1 changed files with 29 additions and 12 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

41
drivers/android/binder.c
View file

@ -302,6 +302,7 @@ struct binder_proc {
struct mm_struct *vma_vm_mm; struct mm_struct *vma_vm_mm;
struct task_struct *tsk; struct task_struct *tsk;
struct files_struct *files; struct files_struct *files;
struct mutex files_lock;
struct hlist_node deferred_work_node; struct hlist_node deferred_work_node;
int deferred_work; int deferred_work;
void *buffer; void *buffer;
@ -375,20 +376,26 @@ binder_defer_work(struct binder_proc *proc, enum binder_deferred_state defer);
static int task_get_unused_fd_flags(struct binder_proc *proc, int flags) static int task_get_unused_fd_flags(struct binder_proc *proc, int flags)
{ {
struct files_struct *files = proc->files;
unsigned long rlim_cur; unsigned long rlim_cur;
unsigned long irqs; unsigned long irqs;
int ret;
if (files == NULL) mutex_lock(&proc->files_lock);
return -ESRCH; if (proc->files == NULL) {
ret = -ESRCH;
if (!lock_task_sighand(proc->tsk, &irqs)) goto err;
return -EMFILE; }
if (!lock_task_sighand(proc->tsk, &irqs)) {
ret = -EMFILE;
goto err;
}
rlim_cur = task_rlimit(proc->tsk, RLIMIT_NOFILE); rlim_cur = task_rlimit(proc->tsk, RLIMIT_NOFILE);
unlock_task_sighand(proc->tsk, &irqs); unlock_task_sighand(proc->tsk, &irqs);
return __alloc_fd(files, 0, rlim_cur, flags); ret = __alloc_fd(proc->files, 0, rlim_cur, flags);
err:
mutex_unlock(&proc->files_lock);
return ret;
} }
/* /*
@ -397,8 +404,10 @@ static int task_get_unused_fd_flags(struct binder_proc *proc, int flags)
static void task_fd_install( static void task_fd_install(
struct binder_proc *proc, unsigned int fd, struct file *file) struct binder_proc *proc, unsigned int fd, struct file *file)
{ {
mutex_lock(&proc->files_lock);
if (proc->files) if (proc->files)
__fd_install(proc->files, fd, file); __fd_install(proc->files, fd, file);
mutex_unlock(&proc->files_lock);
} }
/* /*
@ -408,9 +417,11 @@ static long task_close_fd(struct binder_proc *proc, unsigned int fd)
{ {
int retval; int retval;
if (proc->files == NULL) mutex_lock(&proc->files_lock);
return -ESRCH; if (proc->files == NULL) {
retval = -ESRCH;
goto err;
}
retval = __close_fd(proc->files, fd); retval = __close_fd(proc->files, fd);
/* can't restart close syscall because file table entry was cleared */ /* can't restart close syscall because file table entry was cleared */
if (unlikely(retval == -ERESTARTSYS || if (unlikely(retval == -ERESTARTSYS ||
@ -418,7 +429,8 @@ static long task_close_fd(struct binder_proc *proc, unsigned int fd)
retval == -ERESTARTNOHAND || retval == -ERESTARTNOHAND ||
retval == -ERESTART_RESTARTBLOCK)) retval == -ERESTART_RESTARTBLOCK))
retval = -EINTR; retval = -EINTR;
err:
mutex_unlock(&proc->files_lock);
return retval; return retval;
} }
@ -2946,7 +2958,9 @@ static int binder_mmap(struct file *filp, struct vm_area_struct *vma)
binder_insert_free_buffer(proc, buffer); binder_insert_free_buffer(proc, buffer);
proc->free_async_space = proc->buffer_size / 2; proc->free_async_space = proc->buffer_size / 2;
barrier(); barrier();
mutex_lock(&proc->files_lock);
proc->files = get_files_struct(current); proc->files = get_files_struct(current);
mutex_unlock(&proc->files_lock);
proc->vma = vma; proc->vma = vma;
proc->vma_vm_mm = vma->vm_mm; proc->vma_vm_mm = vma->vm_mm;
@ -2982,6 +2996,7 @@ static int binder_open(struct inode *nodp, struct file *filp)
return -ENOMEM; return -ENOMEM;
get_task_struct(current->group_leader); get_task_struct(current->group_leader);
proc->tsk = current->group_leader; proc->tsk = current->group_leader;
mutex_init(&proc->files_lock);
INIT_LIST_HEAD(&proc->todo); INIT_LIST_HEAD(&proc->todo);
init_waitqueue_head(&proc->wait); init_waitqueue_head(&proc->wait);
proc->default_priority = task_nice(current); proc->default_priority = task_nice(current);
@ -3220,9 +3235,11 @@ static void binder_deferred_func(struct work_struct *work)
files = NULL; files = NULL;
if (defer & BINDER_DEFERRED_PUT_FILES) { if (defer & BINDER_DEFERRED_PUT_FILES) {
mutex_lock(&proc->files_lock);
files = proc->files; files = proc->files;
if (files) if (files)
proc->files = NULL; proc->files = NULL;
mutex_unlock(&proc->files_lock);
} }
if (defer & BINDER_DEFERRED_FLUSH) if (defer & BINDER_DEFERRED_FLUSH)