Re: [PATCH 1/7] binder: fix alloc->vma_vm_mm null-ptr dereference

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Carlos Llamas <cmllamas@google.com>
To: Liam Howlett <liam.howlett@oracle.com>
Cc: "Greg Kroah-Hartman" <gregkh@linuxfoundation.org>,
	"Arve Hjønnevåg" <arve@android.com>,
	"Todd Kjos" <tkjos@android.com>,
	"Martijn Coenen" <maco@android.com>,
	"Joel Fernandes" <joel@joelfernandes.org>,
	"Christian Brauner" <brauner@kernel.org>,
	"Suren Baghdasaryan" <surenb@google.com>,
	"Andrew Morton" <akpm@linux-foundation.org>,
	"kernel-team@android.com" <kernel-team@android.com>,
	"syzbot+f7dc54e5be28950ac459@syzkaller.appspotmail.com"
	<syzbot+f7dc54e5be28950ac459@syzkaller.appspotmail.com>,
	"syzbot+a75ebe0452711c9e56d9@syzkaller.appspotmail.com"
	<syzbot+a75ebe0452711c9e56d9@syzkaller.appspotmail.com>,
	"stable@vger.kernel.org" <stable@vger.kernel.org>,
	"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH 1/7] binder: fix alloc->vma_vm_mm null-ptr dereference
Date: Tue, 30 Aug 2022 19:40:49 +0000	[thread overview]
Message-ID: <Yw5nwaNI5ewExYtC@google.com> (raw)
In-Reply-To: <20220830190515.dlrp2a3ypfyhzid5@revolver>

On Tue, Aug 30, 2022 at 07:06:37PM +0000, Liam Howlett wrote:
> > diff --git a/drivers/android/binder_alloc.c b/drivers/android/binder_alloc.c
> > index 51f4e1c5cd01..9b1778c00610 100644
> > --- a/drivers/android/binder_alloc.c
> > +++ b/drivers/android/binder_alloc.c
> > @@ -322,7 +322,6 @@ static inline void binder_alloc_set_vma(struct binder_alloc *alloc,
> >  	 */
> >  	if (vma) {
> >  		vm_start = vma->vm_start;
> > -		alloc->vma_vm_mm = vma->vm_mm;
> 
> Is this really the null pointer dereference?  We check for vma above..?
> 

Not here. The sequence leading to the null-ptr-deref happens when we try
to take alloc->vma_vm_mm->mmap_lock in binder_alloc_new_buf_locked() and
in binder_alloc_print_pages() without initializing alloc->vma_vm_mm
first (e.g. mmap() was never called). These sequences are described in
the commit message but basically they translate to mmap_read_lock(NULL)
calls.

next prev parent reply	other threads:[~2022-08-30 19:40 UTC|newest]

Thread overview: 26+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-08-29 20:12 [PATCH 0/7] fix null-ptr-deref in binder_alloc and others Carlos Llamas
2022-08-29 20:12 ` [PATCH 1/7] binder: fix alloc->vma_vm_mm null-ptr dereference Carlos Llamas
2022-08-29 20:34   ` Andrew Morton
2022-08-29 21:20     ` Carlos Llamas
2022-08-30 19:06   ` Liam Howlett
2022-08-30 19:40     ` Carlos Llamas [this message]
2022-08-30 20:30       ` Liam Howlett
2022-08-30 22:26   ` Todd Kjos
2022-08-29 20:12 ` [PATCH 2/7] binder: fix trivial kernel-doc typo Carlos Llamas
2022-08-30  7:53   ` Christian Brauner
2022-08-30 22:20   ` Todd Kjos
2022-08-29 20:12 ` [PATCH 3/7] binder: rename alloc->vma_vm_mm to alloc->mm Carlos Llamas
2022-08-30  7:56   ` Christian Brauner
2022-08-30 22:20   ` Todd Kjos
2022-08-29 20:12 ` [PATCH 4/7] binder: remove binder_alloc_set_vma() Carlos Llamas
2022-08-30 18:57   ` Liam Howlett
2022-08-30 21:08     ` Carlos Llamas
2022-08-29 20:12 ` [PATCH 5/7] binder: remove unused binder_alloc->buffer_free Carlos Llamas
2022-08-30  7:57   ` Christian Brauner
2022-08-30 22:21   ` Todd Kjos
2022-08-29 20:12 ` [PATCH 6/7] binder: fix binder_alloc kernel-doc warnings Carlos Llamas
2022-08-30  7:53   ` Christian Brauner
2022-08-30 22:22   ` Todd Kjos
2022-08-29 20:12 ` [PATCH 7/7] binderfs: remove unused INTSTRLEN macro Carlos Llamas
2022-08-30  7:53   ` Christian Brauner
2022-09-01 14:18 ` [PATCH 0/7] fix null-ptr-deref in binder_alloc and others Greg Kroah-Hartman

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=Yw5nwaNI5ewExYtC@google.com \
    --to=cmllamas@google.com \
    --cc=akpm@linux-foundation.org \
    --cc=arve@android.com \
    --cc=brauner@kernel.org \
    --cc=gregkh@linuxfoundation.org \
    --cc=joel@joelfernandes.org \
    --cc=kernel-team@android.com \
    --cc=liam.howlett@oracle.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=maco@android.com \
    --cc=stable@vger.kernel.org \
    --cc=surenb@google.com \
    --cc=syzbot+a75ebe0452711c9e56d9@syzkaller.appspotmail.com \
    --cc=syzbot+f7dc54e5be28950ac459@syzkaller.appspotmail.com \
    --cc=tkjos@android.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.