From: Carlos Llamas <cmllamas@google.com>
To: Alice Ryhl <aliceryhl@google.com>
Cc: "Greg Kroah-Hartman" <gregkh@linuxfoundation.org>,
"Arve Hjønnevåg" <arve@android.com>,
"Todd Kjos" <tkjos@android.com>,
"Christian Brauner" <brauner@kernel.org>,
"Li Li" <dualli@google.com>,
kernel-team@android.com, linux-kernel@vger.kernel.org,
stable@vger.kernel.org
Subject: Re: [PATCH] binder: fix UAF in binder_netlink_report()
Date: Wed, 21 Jan 2026 16:56:25 +0000 [thread overview]
Message-ID: <aXEFObeAwlzXprDC@google.com> (raw)
In-Reply-To: <aXDvlhDvCpzf62KH@google.com>
On Wed, Jan 21, 2026 at 03:24:06PM +0000, Alice Ryhl wrote:
>
> Erm, this solution seems dangerous to me. You access t->to_proc and
> t->to_thread inside binder_netlink_report(), and if t has been freed,
> could the same apply to t->to_proc or t->to_thread?
>
> After looking a bit more: I can see now that you do call
>
> if (target_thread)
> binder_thread_dec_tmpref(target_thread);
> binder_proc_dec_tmpref(target_proc);
> if (target_node)
> binder_dec_node_tmpref(target_node);
>
> after this ... so I guess it can't go wrong in this particular way.
Right, the access to the target is safe because of the tmprefs just like
the rest of the transaction().
> But I'm concerned that we will add fields in the future where this is
> not the case. For example, let's say that tomorrow I want to include
> t->buffer->clear_on_free in the printed data. If the transaction is
> freed, then t->buffer might also be freed.
You actually can't access t->buffer already, there are scenarios where
the t->buffer is released before calling binder_netlink_report().
...
There is really nothing dangeours added by this solution. The fragile
part you mention comes from passing 't' to binder_netlink_report() in
the first place. As opposed to some static struct that contains all the
necessary info without potential issues. This is already present.
The ideal solution would be to refactor binder_transaction() to have a
central place where everything gets populated instead of having separate
objects for 'binder_transaction', 'binder_transaction_log_entry' and
'binder_extended_error'. All of them keep duplicated info and we don't
need more of them.
However, this is a larger effort that would require extensive testing as
we might introduce new issues, etc. I'm not sure that we even want to go
there. This solves the problem at hand so let's just fix it and move on.
--
Carlos Llamas
next prev parent reply other threads:[~2026-01-21 16:56 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-01-21 14:50 [PATCH] binder: fix UAF in binder_netlink_report() Carlos Llamas
2026-01-21 15:24 ` Alice Ryhl
2026-01-21 16:56 ` Carlos Llamas [this message]
2026-01-22 8:27 ` Alice Ryhl
2026-01-22 17:48 ` Carlos Llamas
2026-01-22 18:02 ` [PATCH v2] " Carlos Llamas
2026-01-23 9:18 ` Alice Ryhl
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aXEFObeAwlzXprDC@google.com \
--to=cmllamas@google.com \
--cc=aliceryhl@google.com \
--cc=arve@android.com \
--cc=brauner@kernel.org \
--cc=dualli@google.com \
--cc=gregkh@linuxfoundation.org \
--cc=kernel-team@android.com \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=tkjos@android.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox