From: Greg KH <gregkh@linuxfoundation.org>
To: Todd Kjos <tkjos@android.com>
Cc: tkjos@google.com, arve@android.com, devel@driverdev.osuosl.org,
linux-kernel@vger.kernel.org, maco@google.com,
stable@vger.kernel.org, kernel-team@android.com
Subject: Re: [PATCH] binder: fix race that allows malicious free of live buffer
Date: Fri, 9 Nov 2018 04:32:04 -0800 [thread overview]
Message-ID: <20181109123204.GA11583@kroah.com> (raw)
In-Reply-To: <20181106235532.171646-1-tkjos@google.com>
On Tue, Nov 06, 2018 at 03:55:32PM -0800, Todd Kjos wrote:
> Malicious code can attempt to free buffers using the
> BC_FREE_BUFFER ioctl to binder. There are protections
> against a user freeing a buffer while in use by the
> kernel, however there was a window where BC_FREE_BUFFER
> could be used to free a recently allocated buffer that
> was not completely initialized. This resulted in a
> use-after-free detected by KASAN with a malicious
> test program.
>
> This window is closed by setting the buffer's
> allow_user_free attribute to 0 when the buffer
> is allocated or when the user has previously
> freed it instead of waiting for the caller
> to set it. The problem was that when the struct
> buffer was recycled, allow_user_free was stale
> and set to 1 allowing a free to go through.
>
> Signed-off-by: Todd Kjos <tkjos@google.com>
> Acked-by: Arve Hj�nnev�g <arve@android.com>
No "stable" tag here? Any idea how far back the stable backporting
should go, if any?
thanks,
greg k-h
next prev parent reply other threads:[~2018-11-09 22:12 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-11-06 23:55 [PATCH] binder: fix race that allows malicious free of live buffer Todd Kjos
2018-11-09 12:32 ` Greg KH [this message]
2018-11-09 16:22 ` Todd Kjos
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20181109123204.GA11583@kroah.com \
--to=gregkh@linuxfoundation.org \
--cc=arve@android.com \
--cc=devel@driverdev.osuosl.org \
--cc=kernel-team@android.com \
--cc=linux-kernel@vger.kernel.org \
--cc=maco@google.com \
--cc=stable@vger.kernel.org \
--cc=tkjos@android.com \
--cc=tkjos@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox