From: Carlos Llamas <cmllamas@google.com>
To: Alice Ryhl <aliceryhl@google.com>
Cc: "Keshav Verma" <iganschel@gmail.com>,
"Greg Kroah-Hartman" <gregkh@linuxfoundation.org>,
"Arve Hjønnevåg" <arve@android.com>,
"Todd Kjos" <tkjos@android.com>,
"Christian Brauner" <brauner@kernel.org>,
"Miguel Ojeda" <ojeda@kernel.org>,
"Boqun Feng" <boqun@kernel.org>, "Gary Guo" <gary@garyguo.net>,
linux-kernel@vger.kernel.org, rust-for-linux@vger.kernel.org,
stable@kernel.org
Subject: Re: [PATCH v2] rust_binder: reject context manager self-transaction
Date: Thu, 25 Jun 2026 00:38:05 +0000 [thread overview]
Message-ID: <ajx4bYtQRvBZp4M0@google.com> (raw)
In-Reply-To: <ajpv5xkakp06ArMj@google.com>
On Tue, Jun 23, 2026 at 11:37:11AM +0000, Alice Ryhl wrote:
> On Mon, Jun 22, 2026 at 08:28:01PM +0530, Keshav Verma wrote:
> > Rust binder resolved handle 0 to the context manager node, but it does not
> > reject the case where the caller owns the same node.
> >
> > The C binder driver rejects transactions from the context-manager process
> > to handle 0 after resolving the target node. Match that behavior in Rust
> > Binder by rejecting handle 0 transactions when the resolved context-manager
> > node is owned by the calling process.
> >
> > This applies to both synchronous and oneway transactions because both paths
> > resolve the target through Process::get_transaction_node().
> >
> > Cc: stable@kernel.org
> > Fixes: eafedbc7c050 ("rust_binder: add Rust Binder driver")
> > Signed-off-by: Keshav Verma <iganschel@gmail.com>
> > ---
> > Changes in v2:
> > - Compare the underlying OS process task instead of Rust Binder `Process` object.
>
> I would prefer to compare the Binder Process object. Rejecting
> transactions between different fds owned by the same process doesn't
> really have any benefit and makes fuzz testing much harder.
>
> Alice
Hey Alice,
The restrictions were added in the C version in order to patch
vulnerabilities associated with this "self-transaction" behavior.
See: http://git.kernel.org/torvalds/c/4b836a1426cb
I haven't really looked much into this, but do we even need this for the
Rust version? Is this even fixing anything at all?
--
Carlos Llamas
next prev parent reply other threads:[~2026-06-25 0:38 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-21 21:01 [PATCH] rust_binder: reject context manager self-transaction Keshav Verma
2026-06-22 14:58 ` [PATCH v2] " Keshav Verma
2026-06-23 11:37 ` Alice Ryhl
2026-06-25 0:38 ` Carlos Llamas [this message]
2026-06-25 5:52 ` Alice Ryhl
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ajx4bYtQRvBZp4M0@google.com \
--to=cmllamas@google.com \
--cc=aliceryhl@google.com \
--cc=arve@android.com \
--cc=boqun@kernel.org \
--cc=brauner@kernel.org \
--cc=gary@garyguo.net \
--cc=gregkh@linuxfoundation.org \
--cc=iganschel@gmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=ojeda@kernel.org \
--cc=rust-for-linux@vger.kernel.org \
--cc=stable@kernel.org \
--cc=tkjos@android.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox