From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-wr1-f73.google.com (mail-wr1-f73.google.com [209.85.221.73]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 737502FD7A0 for ; Thu, 22 Jan 2026 08:27:16 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.221.73 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1769070438; cv=none; b=YSyQ7rvsEdRqK6ocYQK7rDsIZp/IxizsaVunIehNt2skaDOkDryiwvdqB7P9gMP8ORCn44r+8YbgsHYDSLT+Mn9lsxGh0J/MijFV8s8058Ib9yDpcZ6qjWB4NpsWCYEYbwJrJ7Vs3eHX7u+VB4grp6GoopuYMGQTYnrWCL/ifIU= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1769070438; c=relaxed/simple; bh=zLhPrj/S3Lp1YrH7R76kkkL4Hx2aqqVlWoq/PKx9VfA=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=rO0C93DHrD9fGq85PN0PN6aQ2uCHm44FWO3SrHqQZOrI3xVNpwIO2VtHJBqHqBh3Fz9hg1tgt3qqiNSRFDhUOyPHdqFw86ISLgzpyZQe+rb8dnvAqjBEFq3s3GO6u3xcHN0dpXlovz/BTcZootIRdGDtX3N12DvdV2WPp/y0wfs= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--aliceryhl.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=zj17kUSo; arc=none smtp.client-ip=209.85.221.73 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--aliceryhl.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="zj17kUSo" Received: by mail-wr1-f73.google.com with SMTP id ffacd0b85a97d-430ffc4dc83so530078f8f.3 for ; Thu, 22 Jan 2026 00:27:16 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1769070435; x=1769675235; darn=vger.kernel.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:from:to:cc:subject:date:message-id:reply-to; bh=Y/Ugv7hVdM3oQW5SxzPuVxLvg8zpM2o/7djZvyT/c+Q=; b=zj17kUSoAAPpAH5HItMxb1opLyraVI1gx9GUNtCLOHpGh7vUpf7di4Dne7j9cZHQfO A/6Ga9mZfXW/KUpP3YhBL+9tV53O0ed5C1G14c+VJ0fe6xJ4P+d++mRNhIlU929UJrBx volxW4QxwbVt6zMa7eJh6Ryr3rRTzWhYlLZv+MxQxPlWk4PVIAtf54u22f1xxluWXk5O kM9N2xEsbZO/mZStCV8F0eH+5G98EGt/GrDGdncfHiAKPlKNCZp7NhnbNb9ifKVfW6zS 4EVQ42lGTaeZXiKnPfzVITppKPs8B7JgGDo9Ebz9FFxBaZAsim4iNMFNnhLjqiJVOECW j8Iw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1769070435; x=1769675235; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=Y/Ugv7hVdM3oQW5SxzPuVxLvg8zpM2o/7djZvyT/c+Q=; b=IL3fiXHnndjS8Akqz68ol97NsXtEuMmHKjm6MNSpP+ICaklspGYM4Pg/H6deCaXgeo bD11xeltrCuUI4LdrjGJfZrrt67cnXLy7M3ZTa94aDlNtpT3Yt9Rl7v8ePam+vDpjinY 5oSQHxPK/BeDd0rSmxWbDCjC83YlDTBtjt+KP/LeiUGC34Gqt2eGJie0SXM90eucMRFA hvDkSFZ7/WLrOYqZeVD0pg3LbNZbEnt08c67BGllap2byNcuVCPnWB8bkeqpsCy96CAQ HpS64Hmnck4zRg9CMasKya/rFBUGjvJqL61+ZU4Bj0fHtkBKIaz4UmcTotdKYOWobLRH 3VfA== X-Forwarded-Encrypted: i=1; AJvYcCUuhKsCDMYhXaGUqPymUGzkzzIh1xLubY3mbc6qiUPkCtVeoQ6fsOoH8cQlzxpysrXQQugB0ZwSmL8QmV0=@vger.kernel.org X-Gm-Message-State: AOJu0YxkFVbcgYe2MGfR+uBdEs3fwPC6KheYmcY9857U6u5/jOYwTFWE lboiAQa6s4CsNZxVpdU70LqIi8oOvrboLMtq0BoURfTU/IxVRTZ5podSARuqFkjDLyPN5oSJMGW Ng7rjQJGhyHTwdpCMTg== X-Received: from wrxm12.prod.google.com ([2002:a05:6000:8c:b0:435:9228:8a8]) (user=aliceryhl job=prod-delivery.src-stubby-dispatcher) by 2002:a05:6000:40ce:b0:435:96ec:679e with SMTP id ffacd0b85a97d-43596ec685dmr10833855f8f.23.1769070434846; Thu, 22 Jan 2026 00:27:14 -0800 (PST) Date: Thu, 22 Jan 2026 08:27:13 +0000 In-Reply-To: Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: <20260121145005.120507-1-cmllamas@google.com> Message-ID: Subject: Re: [PATCH] binder: fix UAF in binder_netlink_report() From: Alice Ryhl To: Carlos Llamas Cc: Greg Kroah-Hartman , "Arve =?utf-8?B?SGrDuG5uZXbDpWc=?=" , Todd Kjos , Christian Brauner , Li Li , kernel-team@android.com, linux-kernel@vger.kernel.org, stable@vger.kernel.org Content-Type: text/plain; charset="utf-8" On Wed, Jan 21, 2026 at 04:56:25PM +0000, Carlos Llamas wrote: > On Wed, Jan 21, 2026 at 03:24:06PM +0000, Alice Ryhl wrote: > > > > Erm, this solution seems dangerous to me. You access t->to_proc and > > t->to_thread inside binder_netlink_report(), and if t has been freed, > > could the same apply to t->to_proc or t->to_thread? > > > > After looking a bit more: I can see now that you do call > > > > if (target_thread) > > binder_thread_dec_tmpref(target_thread); > > binder_proc_dec_tmpref(target_proc); > > if (target_node) > > binder_dec_node_tmpref(target_node); > > > > after this ... so I guess it can't go wrong in this particular way. > > Right, the access to the target is safe because of the tmprefs just like > the rest of the transaction(). > > > But I'm concerned that we will add fields in the future where this is > > not the case. For example, let's say that tomorrow I want to include > > t->buffer->clear_on_free in the printed data. If the transaction is > > freed, then t->buffer might also be freed. > > You actually can't access t->buffer already, there are scenarios where > the t->buffer is released before calling binder_netlink_report(). Hmm, I suppose you are right. It may be worth mentioning that you can't access t->buffer in a comment inside netlink_report? Alice