From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail.kernel.org ([198.145.29.99]:41988 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727560AbeKIWMa (ORCPT ); Fri, 9 Nov 2018 17:12:30 -0500 Date: Fri, 9 Nov 2018 04:32:04 -0800 From: Greg KH To: Todd Kjos Cc: tkjos@google.com, arve@android.com, devel@driverdev.osuosl.org, linux-kernel@vger.kernel.org, maco@google.com, stable@vger.kernel.org, kernel-team@android.com Subject: Re: [PATCH] binder: fix race that allows malicious free of live buffer Message-ID: <20181109123204.GA11583@kroah.com> References: <20181106235532.171646-1-tkjos@google.com> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <20181106235532.171646-1-tkjos@google.com> Sender: stable-owner@vger.kernel.org List-ID: On Tue, Nov 06, 2018 at 03:55:32PM -0800, Todd Kjos wrote: > Malicious code can attempt to free buffers using the > BC_FREE_BUFFER ioctl to binder. There are protections > against a user freeing a buffer while in use by the > kernel, however there was a window where BC_FREE_BUFFER > could be used to free a recently allocated buffer that > was not completely initialized. This resulted in a > use-after-free detected by KASAN with a malicious > test program. > > This window is closed by setting the buffer's > allow_user_free attribute to 0 when the buffer > is allocated or when the user has previously > freed it instead of waiting for the caller > to set it. The problem was that when the struct > buffer was recycled, allow_user_free was stale > and set to 1 allowing a free to go through. > > Signed-off-by: Todd Kjos > Acked-by: Arve Hj�nnev�g No "stable" tag here? Any idea how far back the stable backporting should go, if any? thanks, greg k-h