From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 38114C3F6B0 for ; Wed, 3 Aug 2022 07:29:36 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S235233AbiHCH3e (ORCPT ); Wed, 3 Aug 2022 03:29:34 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:52700 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230166AbiHCH33 (ORCPT ); Wed, 3 Aug 2022 03:29:29 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 2748D1B7B3; Wed, 3 Aug 2022 00:29:29 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 9D3676153F; Wed, 3 Aug 2022 07:29:28 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 789A3C433C1; Wed, 3 Aug 2022 07:29:27 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1659511768; bh=1AMumXsn09r0G6qP13M87wEobGRiCzvJnaO+AC6oFEg=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=aVeEE3DueIb4Bj5GZw5uhZeKCENFX+YQEHnrNxfEKD4RPiA7tkAdsScxQQ63iN2xz r2G2Rsb13P4Ts3kUq0OakUvhvXaB22JrlKU5bntQVpFXRJ8XUt1vtMkN5HHffFVCu/ A4ypoZnmH3rK/ky2nGovMHAvj5j/154fZ6kZFZfI= Date: Wed, 3 Aug 2022 09:29:24 +0200 From: Greg Kroah-Hartman To: Carlos Llamas Cc: Arve =?iso-8859-1?B?SGr4bm5lduVn?= , Todd Kjos , Martijn Coenen , Christian Brauner , Joel Fernandes , Suren Baghdasaryan , kernel-team@android.com, linux-kernel@vger.kernel.org, stable@vger.kernel.org Subject: Re: [PATCH] binder: fix UAF of ref->proc caused by race condition Message-ID: References: <20220801182511.3371447-1-cmllamas@google.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Aug 02, 2022 at 07:40:32PM +0000, Carlos Llamas wrote: > On Mon, Aug 01, 2022 at 06:25:11PM +0000, Carlos Llamas wrote: > > A transaction of type BINDER_TYPE_WEAK_HANDLE can fail to increment the > > reference for a node. In this case, the target proc normally releases > > the failed reference upon close as expected. However, if the target is > > dying in parallel the call will race with binder_deferred_release(), so > > the target could have released all of its references by now leaving the > > cleanup of the new failed reference unhandled. > > > > The transaction then ends and the target proc gets released making the > > ref->proc now a dangling pointer. Later on, ref->node is closed and we > > attempt to take spin_lock(&ref->proc->inner_lock), which leads to the > > use-after-free bug reported below. Let's fix this by cleaning up the > > failed reference on the spot instead of relying on the target to do so. > > > > ================================================================== > > BUG: KASAN: use-after-free in _raw_spin_lock+0xa8/0x150 > > Write of size 4 at addr ffff5ca207094238 by task kworker/1:0/590 > > > > CPU: 1 PID: 590 Comm: kworker/1:0 Not tainted 5.19.0-rc8 #10 > > Hardware name: linux,dummy-virt (DT) > > Workqueue: events binder_deferred_func > > Call trace: > > dump_backtrace.part.0+0x1d0/0x1e0 > > show_stack+0x18/0x70 > > dump_stack_lvl+0x68/0x84 > > print_report+0x2e4/0x61c > > kasan_report+0xa4/0x110 > > kasan_check_range+0xfc/0x1a4 > > __kasan_check_write+0x3c/0x50 > > _raw_spin_lock+0xa8/0x150 > > binder_deferred_func+0x5e0/0x9b0 > > process_one_work+0x38c/0x5f0 > > worker_thread+0x9c/0x694 > > kthread+0x188/0x190 > > ret_from_fork+0x10/0x20 > > > > Signed-off-by: Carlos Llamas > > --- > > drivers/android/binder.c | 12 ++++++++++++ > > 1 file changed, 12 insertions(+) > > > > diff --git a/drivers/android/binder.c b/drivers/android/binder.c > > index 362c0deb65f1..9d42afe60180 100644 > > --- a/drivers/android/binder.c > > +++ b/drivers/android/binder.c > > @@ -1361,6 +1361,18 @@ static int binder_inc_ref_for_node(struct binder_proc *proc, > > } > > ret = binder_inc_ref_olocked(ref, strong, target_list); > > *rdata = ref->data; > > + if (ret && ref == new_ref) { > > + /* > > + * Cleanup the failed reference here as the target > > + * could now be dead and have already released its > > + * references by now. Calling on the new reference > > + * with strong=0 and a tmp_refs will not decrement > > + * the node. The new_ref gets kfree'd below. > > + */ > > + binder_cleanup_ref_olocked(new_ref); > > + ref = NULL; > > + } > > + > > binder_proc_unlock(proc); > > if (new_ref && ref != new_ref) > > /* > > -- > > 2.37.1.455.g008518b4e5-goog > > > > Sorry, I forgot to CC stable. This patch should be applied to all stable > kernels starting with 4.14 and higher. > > Cc: stable@vger.kernel.org # 4.14+ Thanks, I'll add this when I queue it up after 5.20-rc1 is out. greg k-h