From: Carlos Llamas <cmllamas@google.com>
To: Chris Mason <clm@meta.com>
Cc: gregkh@linuxfoundation.org, christian@brauner.io,
aliceryhl@google.com, arve@android.com, tkjos@android.com,
casey@schaufler-ca.com, linux-kernel@vger.kernel.org
Subject: Re: [PATCH] binder: cache secctx size before release zeroes it
Date: Sat, 6 Jun 2026 15:10:33 +0000 [thread overview]
Message-ID: <aiQ4aSUZ3gtzenL-@google.com> (raw)
In-Reply-To: <20260603174506.1957278-1-clm@meta.com>
On Wed, Jun 03, 2026 at 10:44:54AM -0700, Chris Mason wrote:
> binder_transaction() bounds the scatter-gather buffer area with
> sg_buf_end_offset and subtracts the aligned LSM context size because
> the secctx is written at the tail of that area. The subtraction reads
> lsmctx.len, but that field has already been cleared by the time the
> line runs:
>
> security_secid_to_secctx(secid, &lsmctx) /* lsmctx.len set */
> lsmctx_aligned_size = ALIGN(lsmctx.len, sizeof(u64))
> extra_buffers_size += lsmctx_aligned_size
> ...
> security_release_secctx(&lsmctx) /* memset zeroes len */
> ...
> sg_buf_end_offset = sg_buf_offset + extra_buffers_size
> - ALIGN(lsmctx.len, sizeof(u64)) /* ALIGN(0,8) */
>
> security_release_secctx() does memset(cp, 0, sizeof(*cp)), so lsmctx.len
> reads back as 0 and the subtraction contributes nothing, leaving
> sg_buf_end_offset too large by the aligned secctx size on every
> transaction to a txn_security_ctx node.
>
> Each BINDER_TYPE_PTR object then derives buf_left = sg_buf_end_offset -
> sg_buf_offset as the sole upper bound on its copy, so the inflated end
> offset lets the copy run into the bytes that already hold the secctx.
>
> The aligned size must therefore be cached before release rather than
> re-read from the now-cleared field. Fix by caching it in
> lsmctx_aligned_size at function scope when it is first computed and
> subtracting lsmctx_aligned_size instead of re-reading lsmctx.len after
> release. Reuse the same value for the earlier buf_offset computation.
>
> Fixes: 6fba89813ccf ("lsm: ensure the correct LSM context releaser")
> Cc: stable@vger.kernel.org
> Assisted-by: kres:claude-opus-4-8
> Signed-off-by: Chris Mason <clm@meta.com>
> ---
Thanks,
Acked-by: Carlos Llamas <cmllamas@google.com>
prev parent reply other threads:[~2026-06-06 15:10 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-03 17:44 [PATCH] binder: cache secctx size before release zeroes it Chris Mason
2026-06-04 11:11 ` Alice Ryhl
2026-06-06 15:10 ` Carlos Llamas [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aiQ4aSUZ3gtzenL-@google.com \
--to=cmllamas@google.com \
--cc=aliceryhl@google.com \
--cc=arve@android.com \
--cc=casey@schaufler-ca.com \
--cc=christian@brauner.io \
--cc=clm@meta.com \
--cc=gregkh@linuxfoundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=tkjos@android.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.