From: Al Viro <viro@ZenIV.linux.org.uk>
To: Todd Kjos <tkjos@android.com>
Cc: tkjos@google.com, gregkh@linuxfoundation.org, arve@android.com,
devel@driverdev.osuosl.org, linux-kernel@vger.kernel.org,
maco@google.com
Subject: Re: [PATCH v2] binder: fix proc->files use-after-free
Date: Fri, 17 Nov 2017 19:31:46 +0000 [thread overview]
Message-ID: <20171117193146.GO21978@ZenIV.linux.org.uk> (raw)
In-Reply-To: <20171116175650.40362-1-tkjos@google.com>
On Thu, Nov 16, 2017 at 09:56:50AM -0800, Todd Kjos wrote:
> +static struct files_struct *binder_get_files_struct(struct binder_proc *proc)
> +{
> + return get_files_struct(proc->tsk);
> +}
Hell, _no_. You should never, ever use the result of get_files_struct() for
write access. It's strictly for "let me look at other process' descriptor
table". The whole reason for proc->files is that we want to keep a reference
that *could* be used for modifying the damn thing. And such can be obtained
only by the process itself.
The rules are:
* you can use current->files both for read and write
* you can use get_files_struct(current) to get a reference that
can be used for modifying the damn thing. Then it can be passed to
any other process and used by it.
* you can use get_files_struct(some_other_task) to get a reference
that can be used for examining the descriptor table of that other task.
Violation of those rules means an exploitable race. Here's the logics
fdget() and friends are based on: "I'm going to do something to file
refered by descriptor N. If my descriptor table is not shared, all
struct file references in it will stay around - I'm not changing it,
nobody else has it as their ->current, so any additional references
to that descriptor table will *not* be used for modifying it.
In other words, I don't need to bump the refcount of struct file I'm
about to work with - the reference from my descriptor table will keep
it alive".
Your patch breaks those assumptions. NAK.
next prev parent reply other threads:[~2017-11-17 19:32 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-11-16 17:56 [PATCH v2] binder: fix proc->files use-after-free Todd Kjos
2017-11-16 20:27 ` Greg KH
2017-11-16 20:37 ` Todd Kjos
2017-11-17 9:30 ` Greg KH
2017-11-17 19:31 ` Al Viro [this message]
2017-11-20 16:57 ` Todd Kjos
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20171117193146.GO21978@ZenIV.linux.org.uk \
--to=viro@zeniv.linux.org.uk \
--cc=arve@android.com \
--cc=devel@driverdev.osuosl.org \
--cc=gregkh@linuxfoundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=maco@google.com \
--cc=tkjos@android.com \
--cc=tkjos@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox