[PATCH] binder: cache secctx size before release zeroes it

[PATCH] binder: cache secctx size before release zeroes it

[Chris Mason]

binder_transaction() bounds the scatter-gather buffer area with
sg_buf_end_offset and subtracts the aligned LSM context size because
the secctx is written at the tail of that area.  The subtraction reads
lsmctx.len, but that field has already been cleared by the time the
line runs:

    security_secid_to_secctx(secid, &lsmctx)   /* lsmctx.len set */
    lsmctx_aligned_size = ALIGN(lsmctx.len, sizeof(u64))
    extra_buffers_size += lsmctx_aligned_size
    ...
    security_release_secctx(&lsmctx)            /* memset zeroes len */
    ...
    sg_buf_end_offset = sg_buf_offset + extra_buffers_size
                        - ALIGN(lsmctx.len, sizeof(u64)) /* ALIGN(0,8) */

security_release_secctx() does memset(cp, 0, sizeof(*cp)), so lsmctx.len
reads back as 0 and the subtraction contributes nothing, leaving
sg_buf_end_offset too large by the aligned secctx size on every
transaction to a txn_security_ctx node.

Each BINDER_TYPE_PTR object then derives buf_left = sg_buf_end_offset -
sg_buf_offset as the sole upper bound on its copy, so the inflated end
offset lets the copy run into the bytes that already hold the secctx.

The aligned size must therefore be cached before release rather than
re-read from the now-cleared field.  Fix by caching it in
lsmctx_aligned_size at function scope when it is first computed and
subtracting lsmctx_aligned_size instead of re-reading lsmctx.len after
release.  Reuse the same value for the earlier buf_offset computation.

Fixes: 6fba89813ccf ("lsm: ensure the correct LSM context releaser")
Cc: stable@vger.kernel.org
Assisted-by: kres:claude-opus-4-8
Signed-off-by: Chris Mason <clm@meta.com>
---
 drivers/android/binder.c | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/drivers/android/binder.c b/drivers/android/binder.c
index 9e6194224593..9b4771c1e943 100644
--- a/drivers/android/binder.c
+++ b/drivers/android/binder.c
@@ -3080,6 +3080,7 @@ static void binder_transaction(struct binder_proc *proc,
 	int t_debug_id = atomic_inc_return(&binder_last_id);
 	ktime_t t_start_time = ktime_get();
 	struct lsm_context lsmctx = { };
+	size_t lsmctx_aligned_size = 0;
 	struct list_head sgc_head;
 	struct list_head pf_head;
 	const void __user *user_buffer = (const void __user *)
@@ -3348,7 +3349,6 @@ static void binder_transaction(struct binder_proc *proc,
 
 	if (target_node && target_node->txn_security_ctx) {
 		u32 secid;
-		size_t added_size;
 
 		security_cred_getsecid(proc->cred, &secid);
 		ret = security_secid_to_secctx(secid, &lsmctx);
@@ -3360,9 +3360,9 @@ static void binder_transaction(struct binder_proc *proc,
 			return_error_line = __LINE__;
 			goto err_get_secctx_failed;
 		}
-		added_size = ALIGN(lsmctx.len, sizeof(u64));
-		extra_buffers_size += added_size;
-		if (extra_buffers_size < added_size) {
+		lsmctx_aligned_size = ALIGN(lsmctx.len, sizeof(u64));
+		extra_buffers_size += lsmctx_aligned_size;
+		if (extra_buffers_size < lsmctx_aligned_size) {
 			binder_txn_error("%d:%d integer overflow of extra_buffers_size\n",
 				thread->pid, proc->pid);
 			return_error = BR_FAILED_REPLY;
@@ -3399,7 +3399,7 @@ static void binder_transaction(struct binder_proc *proc,
 		size_t buf_offset = ALIGN(tr->data_size, sizeof(void *)) +
 				    ALIGN(tr->offsets_size, sizeof(void *)) +
 				    ALIGN(extra_buffers_size, sizeof(void *)) -
-				    ALIGN(lsmctx.len, sizeof(u64));
+				    lsmctx_aligned_size;
 
 		t->security_ctx = t->buffer->user_data + buf_offset;
 		err = binder_alloc_copy_to_buffer(&target_proc->alloc,
@@ -3454,7 +3454,7 @@ static void binder_transaction(struct binder_proc *proc,
 	off_end_offset = off_start_offset + tr->offsets_size;
 	sg_buf_offset = ALIGN(off_end_offset, sizeof(void *));
 	sg_buf_end_offset = sg_buf_offset + extra_buffers_size -
-		ALIGN(lsmctx.len, sizeof(u64));
+		lsmctx_aligned_size;
 	off_min = 0;
 	for (buffer_offset = off_start_offset; buffer_offset < off_end_offset;
 	     buffer_offset += sizeof(binder_size_t)) {
-- 
2.52.0

Re: [PATCH] binder: cache secctx size before release zeroes it

[Alice Ryhl]

On Wed, Jun 03, 2026 at 10:44:54AM -0700, Chris Mason wrote:
> binder_transaction() bounds the scatter-gather buffer area with
> sg_buf_end_offset and subtracts the aligned LSM context size because
> the secctx is written at the tail of that area.  The subtraction reads
> lsmctx.len, but that field has already been cleared by the time the
> line runs:
> 
>     security_secid_to_secctx(secid, &lsmctx)   /* lsmctx.len set */
>     lsmctx_aligned_size = ALIGN(lsmctx.len, sizeof(u64))
>     extra_buffers_size += lsmctx_aligned_size
>     ...
>     security_release_secctx(&lsmctx)            /* memset zeroes len */
>     ...
>     sg_buf_end_offset = sg_buf_offset + extra_buffers_size
>                         - ALIGN(lsmctx.len, sizeof(u64)) /* ALIGN(0,8) */
> 
> security_release_secctx() does memset(cp, 0, sizeof(*cp)), so lsmctx.len
> reads back as 0 and the subtraction contributes nothing, leaving
> sg_buf_end_offset too large by the aligned secctx size on every
> transaction to a txn_security_ctx node.
> 
> Each BINDER_TYPE_PTR object then derives buf_left = sg_buf_end_offset -
> sg_buf_offset as the sole upper bound on its copy, so the inflated end
> offset lets the copy run into the bytes that already hold the secctx.
> 
> The aligned size must therefore be cached before release rather than
> re-read from the now-cleared field.  Fix by caching it in
> lsmctx_aligned_size at function scope when it is first computed and
> subtracting lsmctx_aligned_size instead of re-reading lsmctx.len after
> release.  Reuse the same value for the earlier buf_offset computation.
> 
> Fixes: 6fba89813ccf ("lsm: ensure the correct LSM context releaser")
> Cc: stable@vger.kernel.org
> Assisted-by: kres:claude-opus-4-8
> Signed-off-by: Chris Mason <clm@meta.com>

Reviewed-by: Alice Ryhl <aliceryhl@google.com>