redonkable
/
alistair23-linux
1
0
Fork 0
Code Releases Activity
alistair23-linux/drivers/android
History
Christian Brauner c71986d18d binderfs: use refcount for binder control devices too 
[ Upstream commit 211b64e4b5 ]

Binderfs binder-control devices are cleaned up via binderfs_evict_inode
too() which will use refcount_dec_and_test(). However, we missed to set
the refcount for binderfs binder-control devices and so we underflowed
when the binderfs instance got unmounted. Pretty obvious oversight and
should have been part of the more general UAF fix. The good news is that
having test cases (suprisingly) helps.

Technically, we could detect that we're about to cleanup the
binder-control dentry in binderfs_evict_inode() and then simply clean it
up. But that makes the assumption that the binder driver itself will
never make use of a binderfs binder-control device after the binderfs
instance it belongs to has been unmounted and the superblock for it been
destroyed. While it is unlikely to ever come to this let's be on the
safe side. Performance-wise this also really doesn't matter since the
binder-control device is only every really when creating the binderfs
filesystem or creating additional binder devices. Both operations are
pretty rare.

Fixes: f0fe2c0f05 ("binder: prevent UAF for binderfs devices II")
Link: https://lore.kernel.org/r/CA+G9fYusdfg7PMfC9Xce-xLT7NiyKSbgojpK35GOm=Pf9jXXrA@mail.gmail.com
Reported-by: Naresh Kamboju <naresh.kamboju@linaro.org>
Cc: stable@vger.kernel.org
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Acked-by: Todd Kjos <tkjos@google.com>
Link: https://lore.kernel.org/r/20200311105309.1742827-1-christian.brauner@ubuntu.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
 		2020-03-25 08:25:50 +01:00
..
Kconfig binder: add functions to copy to/from binder buffers 2019-02-12 10:43:57 +01:00
Makefile treewide: Add SPDX license identifier - Makefile/Kconfig 2019-05-21 10:50:46 +02:00
binder.c binder: prevent UAF for binderfs devices II 2020-03-12 13:00:17 +01:00
binder_alloc.c binder: Handle start==NULL in binder_update_page_range() 2019-12-13 08:43:25 +01:00
binder_alloc.h binder: return errors from buffer copy functions 2019-07-01 08:42:47 +02:00
binder_alloc_selftest.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 282 2019-06-05 17:36:37 +02:00
binder_internal.h binder: prevent UAF for binderfs devices II 2020-03-12 13:00:17 +01:00
binder_trace.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 282 2019-06-05 17:36:37 +02:00
binderfs.c binderfs: use refcount for binder control devices too 2020-03-25 08:25:50 +01:00