* FAILED: patch "[PATCH] binder: use euid from cred instead of using task" failed to apply to 4.4-stable tree
@ 2021-11-09 7:23 gregkh
2021-11-09 15:38 ` Todd Kjos
0 siblings, 1 reply; 3+ messages in thread
From: gregkh @ 2021-11-09 7:23 UTC (permalink / raw)
To: tkjos, casey, jannh, paul, stephen.smalley.work; +Cc: stable
The patch below does not apply to the 4.4-stable tree.
If someone wants it applied there, or to any other stable or longterm
tree, then please email the backport, including the original git commit
id to <stable@vger.kernel.org>.
thanks,
greg k-h
------------------ original commit in Linus's tree ------------------
From 29bc22ac5e5bc63275e850f0c8fc549e3d0e306b Mon Sep 17 00:00:00 2001
From: Todd Kjos <tkjos@google.com>
Date: Tue, 12 Oct 2021 09:56:12 -0700
Subject: [PATCH] binder: use euid from cred instead of using task
Save the 'struct cred' associated with a binder process
at initial open to avoid potential race conditions
when converting to an euid.
Set a transaction's sender_euid from the 'struct cred'
saved at binder_open() instead of looking up the euid
from the binder proc's 'struct task'. This ensures
the euid is associated with the security context that
of the task that opened binder.
Cc: stable@vger.kernel.org # 4.4+
Fixes: 457b9a6f09f0 ("Staging: android: add binder driver")
Signed-off-by: Todd Kjos <tkjos@google.com>
Suggested-by: Stephen Smalley <stephen.smalley.work@gmail.com>
Suggested-by: Jann Horn <jannh@google.com>
Acked-by: Casey Schaufler <casey@schaufler-ca.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
diff --git a/drivers/android/binder.c b/drivers/android/binder.c
index d9030cb6b1e4..231cff9b3b75 100644
--- a/drivers/android/binder.c
+++ b/drivers/android/binder.c
@@ -2702,7 +2702,7 @@ static void binder_transaction(struct binder_proc *proc,
t->from = thread;
else
t->from = NULL;
- t->sender_euid = task_euid(proc->tsk);
+ t->sender_euid = proc->cred->euid;
t->to_proc = target_proc;
t->to_thread = target_thread;
t->code = tr->code;
@@ -4343,6 +4343,7 @@ static void binder_free_proc(struct binder_proc *proc)
}
binder_alloc_deferred_release(&proc->alloc);
put_task_struct(proc->tsk);
+ put_cred(proc->cred);
binder_stats_deleted(BINDER_STAT_PROC);
kfree(proc);
}
@@ -5021,6 +5022,7 @@ static int binder_open(struct inode *nodp, struct file *filp)
spin_lock_init(&proc->outer_lock);
get_task_struct(current->group_leader);
proc->tsk = current->group_leader;
+ proc->cred = get_cred(filp->f_cred);
INIT_LIST_HEAD(&proc->todo);
init_waitqueue_head(&proc->freeze_wait);
proc->default_priority = task_nice(current);
diff --git a/drivers/android/binder_internal.h b/drivers/android/binder_internal.h
index 810c0b84d3f8..e7d4920b3368 100644
--- a/drivers/android/binder_internal.h
+++ b/drivers/android/binder_internal.h
@@ -364,6 +364,9 @@ struct binder_ref {
* (invariant after initialized)
* @tsk task_struct for group_leader of process
* (invariant after initialized)
+ * @cred struct cred associated with the `struct file`
+ * in binder_open()
+ * (invariant after initialized)
* @deferred_work_node: element for binder_deferred_list
* (protected by binder_deferred_lock)
* @deferred_work: bitmap of deferred work to perform
@@ -424,6 +427,7 @@ struct binder_proc {
struct list_head waiting_threads;
int pid;
struct task_struct *tsk;
+ const struct cred *cred;
struct hlist_node deferred_work_node;
int deferred_work;
int outstanding_txns;
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: FAILED: patch "[PATCH] binder: use euid from cred instead of using task" failed to apply to 4.4-stable tree
2021-11-09 7:23 FAILED: patch "[PATCH] binder: use euid from cred instead of using task" failed to apply to 4.4-stable tree gregkh
@ 2021-11-09 15:38 ` Todd Kjos
2021-11-09 15:40 ` Paul Moore
0 siblings, 1 reply; 3+ messages in thread
From: Todd Kjos @ 2021-11-09 15:38 UTC (permalink / raw)
To: gregkh; +Cc: casey, jannh, paul, stephen.smalley.work, stable
Hi Greg. I'll post backports for these this week.
On Mon, Nov 8, 2021 at 11:23 PM <gregkh@linuxfoundation.org> wrote:
>
>
> The patch below does not apply to the 4.4-stable tree.
> If someone wants it applied there, or to any other stable or longterm
> tree, then please email the backport, including the original git commit
> id to <stable@vger.kernel.org>.
>
> thanks,
>
> greg k-h
>
> ------------------ original commit in Linus's tree ------------------
>
> From 29bc22ac5e5bc63275e850f0c8fc549e3d0e306b Mon Sep 17 00:00:00 2001
> From: Todd Kjos <tkjos@google.com>
> Date: Tue, 12 Oct 2021 09:56:12 -0700
> Subject: [PATCH] binder: use euid from cred instead of using task
>
> Save the 'struct cred' associated with a binder process
> at initial open to avoid potential race conditions
> when converting to an euid.
>
> Set a transaction's sender_euid from the 'struct cred'
> saved at binder_open() instead of looking up the euid
> from the binder proc's 'struct task'. This ensures
> the euid is associated with the security context that
> of the task that opened binder.
>
> Cc: stable@vger.kernel.org # 4.4+
> Fixes: 457b9a6f09f0 ("Staging: android: add binder driver")
> Signed-off-by: Todd Kjos <tkjos@google.com>
> Suggested-by: Stephen Smalley <stephen.smalley.work@gmail.com>
> Suggested-by: Jann Horn <jannh@google.com>
> Acked-by: Casey Schaufler <casey@schaufler-ca.com>
> Signed-off-by: Paul Moore <paul@paul-moore.com>
>
> diff --git a/drivers/android/binder.c b/drivers/android/binder.c
> index d9030cb6b1e4..231cff9b3b75 100644
> --- a/drivers/android/binder.c
> +++ b/drivers/android/binder.c
> @@ -2702,7 +2702,7 @@ static void binder_transaction(struct binder_proc *proc,
> t->from = thread;
> else
> t->from = NULL;
> - t->sender_euid = task_euid(proc->tsk);
> + t->sender_euid = proc->cred->euid;
> t->to_proc = target_proc;
> t->to_thread = target_thread;
> t->code = tr->code;
> @@ -4343,6 +4343,7 @@ static void binder_free_proc(struct binder_proc *proc)
> }
> binder_alloc_deferred_release(&proc->alloc);
> put_task_struct(proc->tsk);
> + put_cred(proc->cred);
> binder_stats_deleted(BINDER_STAT_PROC);
> kfree(proc);
> }
> @@ -5021,6 +5022,7 @@ static int binder_open(struct inode *nodp, struct file *filp)
> spin_lock_init(&proc->outer_lock);
> get_task_struct(current->group_leader);
> proc->tsk = current->group_leader;
> + proc->cred = get_cred(filp->f_cred);
> INIT_LIST_HEAD(&proc->todo);
> init_waitqueue_head(&proc->freeze_wait);
> proc->default_priority = task_nice(current);
> diff --git a/drivers/android/binder_internal.h b/drivers/android/binder_internal.h
> index 810c0b84d3f8..e7d4920b3368 100644
> --- a/drivers/android/binder_internal.h
> +++ b/drivers/android/binder_internal.h
> @@ -364,6 +364,9 @@ struct binder_ref {
> * (invariant after initialized)
> * @tsk task_struct for group_leader of process
> * (invariant after initialized)
> + * @cred struct cred associated with the `struct file`
> + * in binder_open()
> + * (invariant after initialized)
> * @deferred_work_node: element for binder_deferred_list
> * (protected by binder_deferred_lock)
> * @deferred_work: bitmap of deferred work to perform
> @@ -424,6 +427,7 @@ struct binder_proc {
> struct list_head waiting_threads;
> int pid;
> struct task_struct *tsk;
> + const struct cred *cred;
> struct hlist_node deferred_work_node;
> int deferred_work;
> int outstanding_txns;
>
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: FAILED: patch "[PATCH] binder: use euid from cred instead of using task" failed to apply to 4.4-stable tree
2021-11-09 15:38 ` Todd Kjos
@ 2021-11-09 15:40 ` Paul Moore
0 siblings, 0 replies; 3+ messages in thread
From: Paul Moore @ 2021-11-09 15:40 UTC (permalink / raw)
To: Todd Kjos; +Cc: gregkh, casey, jannh, stephen.smalley.work, stable
On Tue, Nov 9, 2021 at 10:38 AM Todd Kjos <tkjos@google.com> wrote:
> Hi Greg. I'll post backports for these this week.
Thanks Todd, I was going to ping you later today to see if you were
planning to work on these. If you run into any problems or can't get
to them let me know.
> On Mon, Nov 8, 2021 at 11:23 PM <gregkh@linuxfoundation.org> wrote:
> > The patch below does not apply to the 4.4-stable tree.
> > If someone wants it applied there, or to any other stable or longterm
> > tree, then please email the backport, including the original git commit
> > id to <stable@vger.kernel.org>.
> >
> > thanks,
> >
> > greg k-h
> >
> > ------------------ original commit in Linus's tree ------------------
> >
> > From 29bc22ac5e5bc63275e850f0c8fc549e3d0e306b Mon Sep 17 00:00:00 2001
> > From: Todd Kjos <tkjos@google.com>
> > Date: Tue, 12 Oct 2021 09:56:12 -0700
> > Subject: [PATCH] binder: use euid from cred instead of using task
> >
> > Save the 'struct cred' associated with a binder process
> > at initial open to avoid potential race conditions
> > when converting to an euid.
> >
> > Set a transaction's sender_euid from the 'struct cred'
> > saved at binder_open() instead of looking up the euid
> > from the binder proc's 'struct task'. This ensures
> > the euid is associated with the security context that
> > of the task that opened binder.
> >
> > Cc: stable@vger.kernel.org # 4.4+
> > Fixes: 457b9a6f09f0 ("Staging: android: add binder driver")
> > Signed-off-by: Todd Kjos <tkjos@google.com>
> > Suggested-by: Stephen Smalley <stephen.smalley.work@gmail.com>
> > Suggested-by: Jann Horn <jannh@google.com>
> > Acked-by: Casey Schaufler <casey@schaufler-ca.com>
> > Signed-off-by: Paul Moore <paul@paul-moore.com>
--
paul moore
www.paul-moore.com
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2021-11-09 15:40 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2021-11-09 7:23 FAILED: patch "[PATCH] binder: use euid from cred instead of using task" failed to apply to 4.4-stable tree gregkh
2021-11-09 15:38 ` Todd Kjos
2021-11-09 15:40 ` Paul Moore
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox