mirrors/linux-stable
1
0
Fork 0
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git synced 2024-09-16 07:35:14 +00:00
Code Issues Releases Wiki Activity
linux-stable/drivers/android
History
Todd Kjos 35cc2facc2 binder: fix UAF when releasing todo list 
commit f3277cbfba upstream.

When releasing a thread todo list when tearing down
a binder_proc, the following race was possible which
could result in a use-after-free:

1.  Thread 1: enter binder_release_work from binder_thread_release
2.  Thread 2: binder_update_ref_for_handle() -> binder_dec_node_ilocked()
3.  Thread 2: dec nodeA --> 0 (will free node)
4.  Thread 1: ACQ inner_proc_lock
5.  Thread 2: block on inner_proc_lock
6.  Thread 1: dequeue work (BINDER_WORK_NODE, part of nodeA)
7.  Thread 1: REL inner_proc_lock
8.  Thread 2: ACQ inner_proc_lock
9.  Thread 2: todo list cleanup, but work was already dequeued
10. Thread 2: free node
11. Thread 2: REL inner_proc_lock
12. Thread 1: deref w->type (UAF)

The problem was that for a BINDER_WORK_NODE, the binder_work element
must not be accessed after releasing the inner_proc_lock while
processing the todo list elements since another thread might be
handling a deref on the node containing the binder_work element
leading to the node being freed.

Signed-off-by: Todd Kjos <tkjos@google.com>
Link: https://lore.kernel.org/r/20201009232455.4054810-1-tkjos@google.com
Cc: <stable@vger.kernel.org> # 4.14, 4.19, 5.4, 5.8
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2020-10-29 09:54:56 +01:00
..
binder.c binder: fix UAF when releasing todo list 2020-10-29 09:54:56 +01:00
binder_alloc.c binder: Don't use mmput() from shrinker function. 2020-07-29 10:16:54 +02:00
binder_alloc.h binder: fix race that allows malicious free of live buffer 2018-12-05 19:32:11 +01:00
binder_alloc_selftest.c android: binder: Add global lru shrinker to binder 2017-08-28 16:47:17 +02:00
binder_trace.h android: binder: Show extra_buffers_size in trace 2018-08-02 10:34:12 +02:00
Kconfig android: binder: Drop dependency on !M68K 2018-07-07 17:44:52 +02:00
Makefile android: binder: Add allocator selftest 2017-08-28 16:47:17 +02:00