redonkable
/
alistair23-linux
1
0
Fork 0
Code Releases Activity
alistair23-linux/drivers
History
Jann Horn c5665cafbe binder: Prevent context manager from incrementing ref 0 
commit 4b836a1426 upstream.

Binder is designed such that a binder_proc never has references to
itself. If this rule is violated, memory corruption can occur when a
process sends a transaction to itself; see e.g.
<https://syzkaller.appspot.com/bug?extid=09e05aba06723a94d43d>.

There is a remaining edgecase through which such a transaction-to-self
can still occur from the context of a task with BINDER_SET_CONTEXT_MGR
access:

 - task A opens /dev/binder twice, creating binder_proc instances P1
   and P2
 - P1 becomes context manager
 - P2 calls ACQUIRE on the magic handle 0, allocating index 0 in its
   handle table
 - P1 dies (by closing the /dev/binder fd and waiting a bit)
 - P2 becomes context manager
 - P2 calls ACQUIRE on the magic handle 0, allocating index 1 in its
   handle table
   [this triggers a warning: "binder: 1974:1974 tried to acquire
   reference to desc 0, got 1 instead"]
 - task B opens /dev/binder once, creating binder_proc instance P3
 - P3 calls P2 (via magic handle 0) with (void*)1 as argument (two-way
   transaction)
 - P2 receives the handle and uses it to call P3 (two-way transaction)
 - P3 calls P2 (via magic handle 0) (two-way transaction)
 - P2 calls P2 (via handle 1) (two-way transaction)

And then, if P2 does *NOT* accept the incoming transaction work, but
instead closes the binder fd, we get a crash.

Solve it by preventing the context manager from using ACQUIRE on ref 0.
There shouldn't be any legitimate reason for the context manager to do
that.

Additionally, print a warning if someone manages to find another way to
trigger a transaction-to-self bug in the future.

Cc: stable@vger.kernel.org
Fixes: 457b9a6f09 ("Staging: android: add binder driver")
Acked-by: Todd Kjos <tkjos@google.com>
Signed-off-by: Jann Horn <jannh@google.com>
Reviewed-by: Martijn Coenen <maco@android.com>
Link: https://lore.kernel.org/r/20200727120424.1627555-1-jannh@google.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 		2020-08-11 15:33:35 +02:00
..
accessibility
acpi ACPI: video: Use native backlight on Acer TravelMate 5735Z 2020-07-22 09:33:00 +02:00
amba
android binder: Prevent context manager from incrementing ref 0 2020-08-11 15:33:35 +02:00
ata ata/libata: Fix usage of page address by page_address in ata_scsi_mode_select_xlat function 2020-06-30 15:37:03 -04:00
atm fore200e: Fix incorrect checks of NULL pointer dereference 2020-02-24 08:36:36 +01:00
auxdisplay
base PM: wakeup: Show statistics for deleted wakeup sources again 2020-07-31 18:39:32 +02:00
bcma
block Revert "zram: convert remaining CLASS_ATTR() to CLASS_ATTR_RO()" 2020-07-22 09:33:12 +02:00
bluetooth Bluetooth: hci_bcm: fix freeing not-requested IRQ 2020-06-22 09:31:18 +02:00
bus bus: ti-sysc: Do not disable on suspend for no-idle 2020-07-22 09:33:01 +02:00
cdrom cdrom: respect device capabilities during opening action 2020-01-04 19:18:25 +01:00
char random32: update the net random state on interrupt and activity 2020-08-07 09:34:01 +02:00
clk clk: qcom: gcc: Add missing UFS clocks for SM8150 2020-07-22 09:33:07 +02:00
clocksource arm64: arch_timer: Disable the compat vdso for cores affected by ARM64_WORKAROUND_1418040 2020-07-22 09:32:51 +02:00
connector
counter counter: 104-quad-8: Add lock guards - generic interface 2020-05-02 08:48:44 +02:00
cpufreq cpufreq: Fix up cpufreq_boost_set_sw() 2020-06-17 16:40:33 +02:00
cpuidle cpuidle: Fix three reference count leaks 2020-06-22 09:31:10 +02:00
crypto crypto: ccp - Release all allocated memory if sha type is invalid 2020-08-05 09:59:40 +02:00
dax device-dax: don't leak kernel memory to user space after unloading kmem 2020-05-27 17:46:48 +02:00
dca
devfreq PM / devfreq: Add missing locking while setting suspend_freq 2020-05-10 10:31:34 +02:00
dio
dma dmaengine: ioat setting ioat timeout as module parameter 2020-07-29 10:18:37 +02:00
dma-buf dmabuf: use spinlock to access dmabuf->name 2020-07-29 10:18:29 +02:00
edac EDAC/amd64: Read back the scrub rate PCI register on F15h 2020-07-09 09:37:49 +02:00
eisa
extcon extcon: adc-jack: Fix an error handling path in 'adc_jack_probe()' 2020-06-24 17:50:36 +02:00
firewire net: add annotations on hh->hh_len lockless accesses 2020-01-09 10:20:06 +01:00
firmware drivers/firmware/psci: Fix memory leakage in alloc_init_cpu_groups() 2020-07-29 10:18:28 +02:00
fpga fpga: dfl: fix bug in port reset handshake 2020-07-29 10:18:31 +02:00
fsi fsi: core: Fix small accesses and unaligned offsets via sysfs 2019-12-31 16:45:09 +01:00
gnss gnss: sirf: fix error return code in sirf_probe() 2020-06-22 09:31:20 +02:00
gpio gpio: arizona: put pm_runtime in case of failure 2020-07-29 10:18:26 +02:00
gpu drm: hold gem reference until object is no longer accessed 2020-08-05 09:59:44 +02:00
greybus
hid HID: apple: Disable Fn-key key-re-mapping on clone keyboards 2020-07-29 10:18:36 +02:00
hsi
hv Drivers: hv: vmbus: Always handle the VMBus messages on CPU0 2020-06-22 09:31:00 +02:00
hwmon hwmon: (scmi) Fix potential buffer overflow in scmi_hwmon_probe() 2020-07-29 10:18:39 +02:00
hwspinlock
hwtracing intel_th: Fix a NULL dereference when hub driver is not loaded 2020-07-22 09:33:15 +02:00
i2c Revert "i2c: cadence: Fix the hold bit setting" 2020-08-05 09:59:50 +02:00
i3c
ide ide: serverworks: potential overflow in svwks_set_pio_mode() 2020-02-24 08:36:53 +01:00
idle
iio iio: adc: ad7780: Fix a resource handling path in 'ad7780_probe()' 2020-07-22 09:33:02 +02:00
infiniband IB/rdmavt: Fix RQ counting issues causing use of an invalid RWQE 2020-08-05 09:59:42 +02:00
input Input: elan_i2c - only increment wakeup count on touch 2020-07-29 10:18:38 +02:00
interconnect
iommu irqdomain/treewide: Keep firmware node unconditionally allocated 2020-07-29 10:18:28 +02:00
ipack ipack: tpci200: fix error return code in tpci200_register() 2020-05-27 17:46:47 +02:00
irqchip irqchip/gic: Atomically update affinity 2020-07-09 09:37:56 +02:00
isdn
leds leds: core: Fix warning message when init_data 2020-04-23 10:36:37 +02:00
lightnvm
macintosh drivers/macintosh: Fix memleak in windfarm_pm112 driver 2020-06-22 09:31:22 +02:00
mailbox mailbox: zynqmp-ipi: Fix NULL vs IS_ERR() check in zynqmp_ipi_mbox_probe() 2020-06-24 17:50:36 +02:00
mcb
md dm integrity: fix integrity recalculation that is improperly skipped 2020-07-29 10:18:45 +02:00
media media: rc: prevent memory leak in cx23888_ir_probe 2020-08-05 09:59:40 +02:00
memory memory: mtk-smi: Add PM suspend and resume ops 2020-01-17 19:48:59 +01:00
memstick
message scsi: mptscsih: Fix read sense data size 2020-07-16 08:16:36 +02:00
mfd mfd: stmfx: Disable IRQ in suspend to avoid spurious interrupt 2020-06-24 17:50:33 +02:00
misc misc: atmel-ssc: lock with mutex instead of spinlock 2020-07-22 09:33:15 +02:00
mmc mmc: sdhci-of-aspeed: Fix clock divider calculation 2020-07-29 10:18:44 +02:00
mtd mtd: rawnand: oxnas: Release all devices in the _remove() path 2020-07-22 09:33:07 +02:00
mux
net drivers/net/wan: lapb: Corrected the usage of skb_cow 2020-08-05 09:59:51 +02:00
nfc nfc: s3fwrn5: add missing release on skb in s3fwrn5_recv_frame 2020-08-05 09:59:50 +02:00
ntb NTB: perf: Fix race condition when run with ntb_test 2020-06-24 17:50:41 +02:00
nubus
nvdimm libnvdimm: Out of bounds read in __nd_ioctl() 2020-04-23 10:36:42 +02:00
nvme nvme-tcp: fix possible hang waiting for icresp response 2020-08-05 09:59:45 +02:00
nvmem nvmem: qfprom: remove incorrect write support 2020-06-10 20:24:57 +02:00
of of: of_mdio: Correct loop scanning logic 2020-07-22 09:32:55 +02:00
opp opp: Free static OPPs on errors while adding them 2020-02-24 08:36:34 +01:00
oprofile
parisc
parport parport: load lowlevel driver if ports not found 2019-12-31 16:45:25 +01:00
pci PCI/ASPM: Disable ASPM on ASMedia ASM1083/1085 PCIe-to-PCI bridge 2020-08-05 09:59:41 +02:00
pcmcia
perf drivers/perf: Prevent forced unbinding of PMU drivers 2020-07-29 10:18:40 +02:00
phy phy: sun4i-usb: fix dereference of pointer phy0 before it is null checked 2020-07-22 09:33:01 +02:00
pinctrl pinctrl: amd: fix npins for uart0 in kerncz_groups 2020-07-29 10:18:26 +02:00
platform platform/x86: asus-wmi: allow BAT1 battery name 2020-07-29 10:18:39 +02:00
pnp
power power: supply: smb347-charger: IRQSTAT_D is volatile 2020-06-24 17:50:25 +02:00
powercap powercap: intel_rapl: add NULL pointer check to rapl_mmio_cpu_online() 2020-01-14 20:08:18 +01:00
pps
ps3
ptp ptp: free ptp device pin descriptors properly 2020-01-23 08:22:51 +01:00
pwm pwm: jz4740: Fix build failure 2020-07-16 08:16:48 +02:00
rapidio rapidio: fix an error in get_user_pages_fast() error handling 2020-05-27 17:46:48 +02:00
ras
regulator regualtor: pfuze100: correct sw1a/sw2 on pfuze3000 2020-06-30 15:36:54 -04:00
remoteproc remoteproc: qcom_q6v5_mss: map/unmap mpss segments before/after use 2020-06-24 17:50:13 +02:00
reset reset: uniphier: Add SCSSI reset control for each channel 2020-02-24 08:36:41 +01:00
rpmsg rpmsg: char: release allocated memory 2020-01-14 20:08:37 +01:00
rtc rtc: rv3028: Add missed check for devm_regmap_init_i2c() 2020-06-24 17:50:36 +02:00
s390 s390/qeth: fix error handling for isolation mode cmds 2020-06-30 15:36:57 -04:00
sbus
scsi scsi: core: Run queue in case of I/O resource contention failure 2020-08-05 09:59:50 +02:00
sfi
sh
siox
slimbus slimbus: core: Fix mismatch in of_node_get/put 2020-07-22 09:33:08 +02:00
soc soc: qcom: rpmh: Dirt can only make you dirtier, not cleaner 2020-07-29 10:18:25 +02:00
soundwire soundwire: intel: fix memory leak with devm_kasprintf 2020-07-22 09:33:00 +02:00
spi spi: mediatek: use correct SPI_CFG2_REG MACRO 2020-07-29 10:18:37 +02:00
spmi spmi: pmic-arb: Set lockdep class for hierarchical irq domains 2020-02-19 19:53:07 +01:00
ssb
staging Staging: rtl8188eu: rtw_mlme: Fix uninitialized variable authmode 2020-08-11 15:33:34 +02:00
target scsi: target: tcmu: Fix a use after free in tcmu_check_expired_queue_cmd() 2020-06-24 17:50:34 +02:00
tc
tee tee: optee: Fix compilation issue with nommu 2020-02-05 21:22:49 +00:00
thermal thermal/drivers/cpufreq_cooling: Fix wrong frequency converted from power 2020-07-22 09:33:16 +02:00
thunderbolt thunderbolt: Prevent crash if non-active NVMem file is read 2020-02-28 17:22:13 +01:00
tty vt: Reject zero-sized screen buffer size. 2020-07-29 10:18:43 +02:00
uio uio_pdrv_genirq: fix use without device tree and no interrupt 2020-07-22 09:33:13 +02:00
usb usb: xhci: Fix ASMedia ASM1142 DMA addressing 2020-08-11 15:33:32 +02:00
vfio vfio/mdev: Fix reference count leak in add_mdev_supported_type 2020-06-24 17:50:36 +02:00
vhost vhost/scsi: fix up req type endian-ness 2020-08-05 09:59:42 +02:00
video omapfb: dss: Fix max fclk divider for omap36xx 2020-08-11 15:33:34 +02:00
virt virt: vbox: Fix guest capabilities mask check 2020-07-22 09:33:11 +02:00
virtio virtio_balloon: fix up endian-ness for free cmd id 2020-08-05 09:59:43 +02:00
visorbus visorbus: fix uninitialized variable access 2020-02-24 08:36:47 +01:00
vlynq
vme vme: bridges: reduce stack usage 2020-02-24 08:36:48 +01:00
w1 w1: omap-hdq: cleanup to add missing newline for some dev_dbg 2020-06-22 09:31:26 +02:00
watchdog watchdog: da9062: No need to ping manually before setting timeout 2020-06-24 17:50:32 +02:00
xen xen/pvcalls-back: test for errors when calling backend_connect() 2020-06-17 16:40:38 +02:00
zorro
Kconfig
Makefile