From: Greg KH <gregkh@linuxfoundation.org>
To: Todd Kjos <tkjos@android.com>
Cc: tkjos@google.com, arve@android.com, devel@driverdev.osuosl.org,
linux-kernel@vger.kernel.org, maco@google.com,
stable@vger.kernel.org, kernel-team@android.com
Subject: Re: [PATCH] binder: fix race that allows malicious free of live buffer
Date: Fri, 9 Nov 2018 04:32:04 -0800 [thread overview]
Message-ID: <20181109123204.GA11583@kroah.com> (raw)
In-Reply-To: <20181106235532.171646-1-tkjos@google.com>
On Tue, Nov 06, 2018 at 03:55:32PM -0800, Todd Kjos wrote:
> Malicious code can attempt to free buffers using the
> BC_FREE_BUFFER ioctl to binder. There are protections
> against a user freeing a buffer while in use by the
> kernel, however there was a window where BC_FREE_BUFFER
> could be used to free a recently allocated buffer that
> was not completely initialized. This resulted in a
> use-after-free detected by KASAN with a malicious
> test program.
>
> This window is closed by setting the buffer's
> allow_user_free attribute to 0 when the buffer
> is allocated or when the user has previously
> freed it instead of waiting for the caller
> to set it. The problem was that when the struct
> buffer was recycled, allow_user_free was stale
> and set to 1 allowing a free to go through.
>
> Signed-off-by: Todd Kjos <tkjos@google.com>
> Acked-by: Arve Hjønnevåg <arve@android.com>
No "stable" tag here? Any idea how far back the stable backporting
should go, if any?
thanks,
greg k-h
WARNING: multiple messages have this Message-ID (diff)
From: Greg KH <gregkh@linuxfoundation.org>
To: Todd Kjos <tkjos@android.com>
Cc: tkjos@google.com, arve@android.com, devel@driverdev.osuosl.org,
linux-kernel@vger.kernel.org, maco@google.com,
stable@vger.kernel.org, kernel-team@android.com
Subject: Re: [PATCH] binder: fix race that allows malicious free of live buffer
Date: Fri, 9 Nov 2018 04:32:04 -0800 [thread overview]
Message-ID: <20181109123204.GA11583@kroah.com> (raw)
In-Reply-To: <20181106235532.171646-1-tkjos@google.com>
On Tue, Nov 06, 2018 at 03:55:32PM -0800, Todd Kjos wrote:
> Malicious code can attempt to free buffers using the
> BC_FREE_BUFFER ioctl to binder. There are protections
> against a user freeing a buffer while in use by the
> kernel, however there was a window where BC_FREE_BUFFER
> could be used to free a recently allocated buffer that
> was not completely initialized. This resulted in a
> use-after-free detected by KASAN with a malicious
> test program.
>
> This window is closed by setting the buffer's
> allow_user_free attribute to 0 when the buffer
> is allocated or when the user has previously
> freed it instead of waiting for the caller
> to set it. The problem was that when the struct
> buffer was recycled, allow_user_free was stale
> and set to 1 allowing a free to go through.
>
> Signed-off-by: Todd Kjos <tkjos@google.com>
> Acked-by: Arve Hj�nnev�g <arve@android.com>
No "stable" tag here? Any idea how far back the stable backporting
should go, if any?
thanks,
greg k-h
next prev parent reply other threads:[~2018-11-09 12:32 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-11-06 23:55 [PATCH] binder: fix race that allows malicious free of live buffer Todd Kjos
2018-11-09 12:32 ` Greg KH [this message]
2018-11-09 12:32 ` Greg KH
2018-11-09 16:22 ` Todd Kjos
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20181109123204.GA11583@kroah.com \
--to=gregkh@linuxfoundation.org \
--cc=arve@android.com \
--cc=devel@driverdev.osuosl.org \
--cc=kernel-team@android.com \
--cc=linux-kernel@vger.kernel.org \
--cc=maco@google.com \
--cc=stable@vger.kernel.org \
--cc=tkjos@android.com \
--cc=tkjos@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.