From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Todd Kjos <tkjos@google.com>
Subject: [PATCH 4.14 14/19] binder: fix async_free_space accounting for empty parcels
Date: Mon, 3 Jan 2022 15:21:31 +0100 [thread overview]
Message-ID: <20220103142052.537383824@linuxfoundation.org> (raw)
In-Reply-To: <20220103142052.068378906@linuxfoundation.org>
From: Todd Kjos <tkjos@google.com>
commit cfd0d84ba28c18b531648c9d4a35ecca89ad9901 upstream.
In 4.13, commit 74310e06be4d ("android: binder: Move buffer out of area shared with user space")
fixed a kernel structure visibility issue. As part of that patch,
sizeof(void *) was used as the buffer size for 0-length data payloads so
the driver could detect abusive clients sending 0-length asynchronous
transactions to a server by enforcing limits on async_free_size.
Unfortunately, on the "free" side, the accounting of async_free_space
did not add the sizeof(void *) back. The result was that up to 8-bytes of
async_free_space were leaked on every async transaction of 8-bytes or
less. These small transactions are uncommon, so this accounting issue
has gone undetected for several years.
The fix is to use "buffer_size" (the allocated buffer size) instead of
"size" (the logical buffer size) when updating the async_free_space
during the free operation. These are the same except for this
corner case of asynchronous transactions with payloads < 8 bytes.
Fixes: 74310e06be4d ("android: binder: Move buffer out of area shared with user space")
Signed-off-by: Todd Kjos <tkjos@google.com>
Cc: stable@vger.kernel.org # 4.14+
Link: https://lore.kernel.org/r/20211220190150.2107077-1-tkjos@google.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/android/binder_alloc.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/android/binder_alloc.c
+++ b/drivers/android/binder_alloc.c
@@ -619,7 +619,7 @@ static void binder_free_buf_locked(struc
BUG_ON(buffer->data > alloc->buffer + alloc->buffer_size);
if (buffer->async_transaction) {
- alloc->free_async_space += size + sizeof(struct binder_buffer);
+ alloc->free_async_space += buffer_size + sizeof(struct binder_buffer);
binder_alloc_debug(BINDER_DEBUG_BUFFER_ALLOC_ASYNC,
"%d: binder_free_buf size %zd async free %zd\n",
next prev parent reply other threads:[~2022-01-03 14:23 UTC|newest]
Thread overview: 24+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-01-03 14:21 [PATCH 4.14 00/19] 4.14.261-rc1 review Greg Kroah-Hartman
2022-01-03 14:21 ` [PATCH 4.14 01/19] HID: asus: Add depends on USB_HID to HID_ASUS Kconfig option Greg Kroah-Hartman
2022-01-03 14:21 ` [PATCH 4.14 02/19] tee: handle lookup of shm with reference count 0 Greg Kroah-Hartman
2022-01-03 14:21 ` [PATCH 4.14 03/19] platform/x86: apple-gmux: use resource_size() with res Greg Kroah-Hartman
2022-01-03 14:21 ` [PATCH 4.14 04/19] recordmcount.pl: fix typo in s390 mcount regex Greg Kroah-Hartman
2022-01-03 14:21 ` [PATCH 4.14 05/19] selinux: initialize proto variable in selinux_ip_postroute_compat() Greg Kroah-Hartman
2022-01-03 14:21 ` [PATCH 4.14 06/19] scsi: lpfc: Terminate string in lpfc_debugfs_nvmeio_trc_write() Greg Kroah-Hartman
2022-01-03 14:21 ` [PATCH 4.14 07/19] net: usb: pegasus: Do not drop long Ethernet frames Greg Kroah-Hartman
2022-01-03 14:21 ` [PATCH 4.14 08/19] NFC: st21nfca: Fix memory leak in device probe and remove Greg Kroah-Hartman
2022-01-03 14:21 ` [PATCH 4.14 09/19] fsl/fman: Fix missing put_device() call in fman_port_probe Greg Kroah-Hartman
2022-01-03 14:21 ` [PATCH 4.14 10/19] nfc: uapi: use kernel size_t to fix user-space builds Greg Kroah-Hartman
2022-01-03 14:21 ` [PATCH 4.14 11/19] uapi: fix linux/nfc.h userspace compilation errors Greg Kroah-Hartman
2022-01-03 14:21 ` [PATCH 4.14 12/19] xhci: Fresco FL1100 controller should not have BROKEN_MSI quirk set Greg Kroah-Hartman
2022-01-03 14:21 ` [PATCH 4.14 13/19] usb: gadget: f_fs: Clear ffs_eventfd in ffs_data_clear Greg Kroah-Hartman
2022-01-03 14:21 ` Greg Kroah-Hartman [this message]
2022-01-03 14:21 ` [PATCH 4.14 15/19] scsi: vmw_pvscsi: Set residual data length conditionally Greg Kroah-Hartman
2022-01-03 14:21 ` [PATCH 4.14 16/19] Input: appletouch - initialize work before device registration Greg Kroah-Hartman
2022-01-03 14:21 ` [PATCH 4.14 17/19] Input: spaceball - fix parsing of movement data packets Greg Kroah-Hartman
2022-01-03 14:21 ` [PATCH 4.14 18/19] net: fix use-after-free in tw_timer_handler Greg Kroah-Hartman
2022-01-03 14:21 ` [PATCH 4.14 19/19] sctp: use call_rcu to free endpoint Greg Kroah-Hartman
2022-01-04 1:24 ` [PATCH 4.14 00/19] 4.14.261-rc1 review Guenter Roeck
2022-01-04 9:53 ` Jon Hunter
2022-01-04 13:39 ` Naresh Kamboju
2022-01-05 2:19 ` Shuah Khan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220103142052.537383824@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=tkjos@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).