From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-4.0 required=3.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED, DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SIGNED_OFF_BY, SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id B33E1C433DF for ; Tue, 23 Jun 2020 05:22:32 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 90D5C2077D for ; Tue, 23 Jun 2020 05:22:32 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1592889752; bh=bRSmFiLcHDdUZV1lLofJRbU6hkCpvLtaGBck/D3vn9A=; h=Date:From:To:Cc:Subject:References:In-Reply-To:List-ID:From; b=hzpr0P8qhBjpM1Bn/iQsssFBObK44QqkXk6fPDXgQQHnNN0sdTI3ry9M92cShZfiF exo8tvKkaVH7tYTGHvE9Dq76BQlqIBWg1HXGBQ2Zo7dvzIQa6c13vjMN8tK6rYfdiw rT2t0mvm96I1WgjncLQdmD2Fzy1Wry1O7u9Ly2V4= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730250AbgFWFWb (ORCPT ); Tue, 23 Jun 2020 01:22:31 -0400 Received: from mail.kernel.org ([198.145.29.99]:51844 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728496AbgFWFWa (ORCPT ); Tue, 23 Jun 2020 01:22:30 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 3E8DE20716; Tue, 23 Jun 2020 05:22:29 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1592889749; bh=bRSmFiLcHDdUZV1lLofJRbU6hkCpvLtaGBck/D3vn9A=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=kGwhuJ3POJsHPXPg+IwKqyBkudr/5DcI6PTwz3rxY6d36unPPXRADtNrMfTZAr1VP XmTJyDNr/dkfyLp2k6fe3mD2SVpLy/b25B/GtWXTJe/oiHlAPMMLkpfiavZs5Gf6zn VK2Lk2BRO3X9FWi+uLxTx1hkP30cmh92jHXvvzPc= Date: Tue, 23 Jun 2020 07:22:24 +0200 From: Greg Kroah-Hartman To: Todd Kjos Cc: Christian Brauner , Christian Brauner , Arve =?iso-8859-1?B?SGr4bm5lduVn?= , "open list:ANDROID DRIVERS" , LKML , Martijn Coenen , "Joel Fernandes (Google)" , Android Kernel Team , stable Subject: Re: [PATCH] binder: fix null deref of proc->context Message-ID: <20200623052224.GC2252466@kroah.com> References: <20200622200715.114382-1-tkjos@google.com> <20200622200955.unq7elx2ry2vrnfe@wittgenstein> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Jun 22, 2020 at 01:59:04PM -0700, Todd Kjos wrote: > On Mon, Jun 22, 2020 at 1:18 PM Todd Kjos wrote: > > > > On Mon, Jun 22, 2020 at 1:09 PM Christian Brauner > > wrote: > > > > > > On Mon, Jun 22, 2020 at 01:07:15PM -0700, Todd Kjos wrote: > > > > The binder driver makes the assumption proc->context pointer is invariant after > > > > initialization (as documented in the kerneldoc header for struct proc). > > > > However, in commit f0fe2c0f050d ("binder: prevent UAF for binderfs devices II") > > > > proc->context is set to NULL during binder_deferred_release(). > > > > > > > > Another proc was in the middle of setting up a transaction to the dying > > > > process and crashed on a NULL pointer deref on "context" which is a local > > > > set to &proc->context: > > > > > > > > new_ref->data.desc = (node == context->binder_context_mgr_node) ? 0 : 1; > > > > > > > > Here's the stack: > > > > > > > > [ 5237.855435] Call trace: > > > > [ 5237.855441] binder_get_ref_for_node_olocked+0x100/0x2ec > > > > [ 5237.855446] binder_inc_ref_for_node+0x140/0x280 > > > > [ 5237.855451] binder_translate_binder+0x1d0/0x388 > > > > [ 5237.855456] binder_transaction+0x2228/0x3730 > > > > [ 5237.855461] binder_thread_write+0x640/0x25bc > > > > [ 5237.855466] binder_ioctl_write_read+0xb0/0x464 > > > > [ 5237.855471] binder_ioctl+0x30c/0x96c > > > > [ 5237.855477] do_vfs_ioctl+0x3e0/0x700 > > > > [ 5237.855482] __arm64_sys_ioctl+0x78/0xa4 > > > > [ 5237.855488] el0_svc_common+0xb4/0x194 > > > > [ 5237.855493] el0_svc_handler+0x74/0x98 > > > > [ 5237.855497] el0_svc+0x8/0xc > > > > > > > > The fix is to move the kfree of the binder_device to binder_free_proc() > > > > so the binder_device is freed when we know there are no references > > > > remaining on the binder_proc. > > > > > > > > Fixes: f0fe2c0f050d ("binder: prevent UAF for binderfs devices II") > > > > Signed-off-by: Todd Kjos > > > > Forgot to include stable. The issue was introduced in 5.6, so fix needed in 5.7. > > Cc: stable@vger.kernel.org # 5.7 > > Turns out the patch with the issue was also backported to 5.4.y, so > the fix is needed there too. With the fixes tag in there and cc: stable, it will get to the proper trees no matter how far back it was backported :) thanks, greg k-h