From: Carlos Llamas <cmllamas@google.com>
To: Alice Ryhl <aliceryhl@google.com>
Cc: "Greg Kroah-Hartman" <gregkh@linuxfoundation.org>,
"Arve Hjønnevåg" <arve@android.com>,
"Todd Kjos" <tkjos@android.com>,
"Martijn Coenen" <maco@android.com>,
"Joel Fernandes" <joel@joelfernandes.org>,
"Christian Brauner" <brauner@kernel.org>,
"Suren Baghdasaryan" <surenb@google.com>,
"Yu-Ting Tseng" <yutingtseng@google.com>,
linux-kernel@vger.kernel.org, kernel-team@android.com,
stable@vger.kernel.org
Subject: Re: [PATCH 2/4] binder: fix OOB in binder_add_freeze_work()
Date: Wed, 25 Sep 2024 18:09:40 +0000 [thread overview]
Message-ID: <ZvRR5NT51nSuBhb8@google.com> (raw)
In-Reply-To: <ZvRRJiRe7zwyPeY7@google.com>
On Wed, Sep 25, 2024 at 06:06:30PM +0000, Carlos Llamas wrote:
> On Wed, Sep 25, 2024 at 07:52:37PM +0200, Alice Ryhl wrote:
> > > > I reviewed some other code paths to verify whether there are other
> > > > problems with processes dying concurrently with operations on freeze
> > > > notifications. I didn't notice any other memory safety issues, but I
> > >
> > > Yeah most other paths are protected with binder_procs_lock mutex.
> > >
> > > > noticed that binder_request_freeze_notification returns EINVAL if you
> > > > try to use it with a node from a dead process. That seems problematic,
> > > > as this means that there's no way to invoke that command without
> > > > risking an EINVAL error if the remote process dies. We should not
> > > > return EINVAL errors on correct usage of the driver.
> > >
> > > Agreed, this should probably be -ESRCH or something. I'll add it to v2,
> > > thanks for the suggestion.
> >
> > Well, maybe? I think it's best to not return errnos from these
> > commands at all, as they obscure how many commands were processed.
>
> This is problematic, particularly when it's a multi-command buffer.
> Userspace doesn't really know which one failed and if any of them
> succeeded. Agreed.
>
> >
> > Since the node still exists even if the process dies, perhaps we can
> > just let you create the freeze notification even if it's dead? We can
> > make it end up in the same state as if you request a freeze
> > notification and the process then dies afterwards.
>
> It's a dead node, there is no process associated with it. It would be
> incorrect to setup the notification as it doesn't have a frozen status
> anymore. We can't determine the ref->node->proc->is_frozen?
>
> We could silently fail and skip the notification, but I don't know if
> userspace will attempt to release it later... and fail with EINVAL.
>
FWIW, we already propagate errors when the target process or node is
dead in some other places. It makes sense to me to let userspace know
that we couldn't setup the frozen notification.
next prev parent reply other threads:[~2024-09-25 18:09 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-09-24 18:43 [PATCH 0/4] binder: several fixes for frozen notification Carlos Llamas
2024-09-24 18:43 ` [PATCH 1/4] binder: fix node UAF in binder_add_freeze_work() Carlos Llamas
2024-09-25 2:58 ` Todd Kjos
2024-09-25 8:03 ` Alice Ryhl
2024-09-24 18:43 ` [PATCH 2/4] binder: fix OOB " Carlos Llamas
2024-09-25 3:03 ` Todd Kjos
2024-09-25 8:02 ` Alice Ryhl
2024-09-25 17:48 ` Carlos Llamas
2024-09-25 17:52 ` Alice Ryhl
2024-09-25 18:06 ` Carlos Llamas
2024-09-25 18:09 ` Carlos Llamas [this message]
2024-09-26 8:06 ` Alice Ryhl
2024-09-26 14:39 ` Carlos Llamas
2024-09-24 18:43 ` [PATCH 3/4] binder: fix freeze UAF in binder_release_work() Carlos Llamas
2024-09-25 0:52 ` Todd Kjos
2024-09-25 8:03 ` Alice Ryhl
2024-09-24 18:43 ` [PATCH 4/4] binder: fix BINDER_WORK_FROZEN_BINDER debug logs Carlos Llamas
2024-09-25 0:43 ` Todd Kjos
2024-09-25 7:36 ` Alice Ryhl
2024-09-25 17:25 ` Carlos Llamas
2024-09-26 3:54 ` Carlos Llamas
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ZvRR5NT51nSuBhb8@google.com \
--to=cmllamas@google.com \
--cc=aliceryhl@google.com \
--cc=arve@android.com \
--cc=brauner@kernel.org \
--cc=gregkh@linuxfoundation.org \
--cc=joel@joelfernandes.org \
--cc=kernel-team@android.com \
--cc=linux-kernel@vger.kernel.org \
--cc=maco@android.com \
--cc=stable@vger.kernel.org \
--cc=surenb@google.com \
--cc=tkjos@android.com \
--cc=yutingtseng@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox