From: Alice Ryhl <aliceryhl@google.com>
To: Carlos Llamas <cmllamas@google.com>
Cc: "Greg Kroah-Hartman" <gregkh@linuxfoundation.org>,
"Arve Hjønnevåg" <arve@android.com>,
"Todd Kjos" <tkjos@android.com>,
"Christian Brauner" <brauner@kernel.org>,
"Li Li" <dualli@google.com>,
kernel-team@android.com, linux-kernel@vger.kernel.org,
stable@vger.kernel.org
Subject: Re: [PATCH] binder: fix UAF in binder_netlink_report()
Date: Thu, 22 Jan 2026 08:27:13 +0000 [thread overview]
Message-ID: <aXHfYfNZ20-3J8qR@google.com> (raw)
In-Reply-To: <aXEFObeAwlzXprDC@google.com>
On Wed, Jan 21, 2026 at 04:56:25PM +0000, Carlos Llamas wrote:
> On Wed, Jan 21, 2026 at 03:24:06PM +0000, Alice Ryhl wrote:
> >
> > Erm, this solution seems dangerous to me. You access t->to_proc and
> > t->to_thread inside binder_netlink_report(), and if t has been freed,
> > could the same apply to t->to_proc or t->to_thread?
> >
> > After looking a bit more: I can see now that you do call
> >
> > if (target_thread)
> > binder_thread_dec_tmpref(target_thread);
> > binder_proc_dec_tmpref(target_proc);
> > if (target_node)
> > binder_dec_node_tmpref(target_node);
> >
> > after this ... so I guess it can't go wrong in this particular way.
>
> Right, the access to the target is safe because of the tmprefs just like
> the rest of the transaction().
>
> > But I'm concerned that we will add fields in the future where this is
> > not the case. For example, let's say that tomorrow I want to include
> > t->buffer->clear_on_free in the printed data. If the transaction is
> > freed, then t->buffer might also be freed.
>
> You actually can't access t->buffer already, there are scenarios where
> the t->buffer is released before calling binder_netlink_report().
Hmm, I suppose you are right. It may be worth mentioning that you can't
access t->buffer in a comment inside netlink_report?
Alice
next prev parent reply other threads:[~2026-01-22 8:27 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-01-21 14:50 [PATCH] binder: fix UAF in binder_netlink_report() Carlos Llamas
2026-01-21 15:24 ` Alice Ryhl
2026-01-21 16:56 ` Carlos Llamas
2026-01-22 8:27 ` Alice Ryhl [this message]
2026-01-22 17:48 ` Carlos Llamas
2026-01-22 18:02 ` [PATCH v2] " Carlos Llamas
2026-01-23 9:18 ` Alice Ryhl
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aXHfYfNZ20-3J8qR@google.com \
--to=aliceryhl@google.com \
--cc=arve@android.com \
--cc=brauner@kernel.org \
--cc=cmllamas@google.com \
--cc=dualli@google.com \
--cc=gregkh@linuxfoundation.org \
--cc=kernel-team@android.com \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=tkjos@android.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.