git.proxmox.com Git - mirror_ubuntu-bionic-kernel.git/commit

author	Todd Kjos <tkjos@android.com>
	Tue, 6 Nov 2018 23:55:32 +0000 (15:55 -0800)
committer	Sultan Alsawaf <sultan.alsawaf@canonical.com>
	Wed, 24 Jul 2019 15:44:58 +0000 (09:44 -0600)
commit	9188630d783e83ee83552eda3fb32efcefdcfb34
tree	eaf2411dc5af09d3e2de97919b183970b000074f	tree
parent	af61aada4b86b3c66ad594f7c49ceed8faa01ee3	commit \| diff

binder: fix race that allows malicious free of live buffer

BugLink: https://bugs.launchpad.net/bugs/1836968
commit 7bada55ab50697861eee6bb7d60b41e68a961a9c upstream.

Malicious code can attempt to free buffers using the BC_FREE_BUFFER
ioctl to binder. There are protections against a user freeing a buffer
while in use by the kernel, however there was a window where
BC_FREE_BUFFER could be used to free a recently allocated buffer that
was not completely initialized. This resulted in a use-after-free
detected by KASAN with a malicious test program.

This window is closed by setting the buffer's allow_user_free attribute
to 0 when the buffer is allocated or when the user has previously freed
it instead of waiting for the caller to set it. The problem was that
when the struct buffer was recycled, allow_user_free was stale and set
to 1 allowing a free to go through.

Signed-off-by: Todd Kjos <tkjos@google.com>
Acked-by: Arve Hjønnevåg <arve@android.com>
Cc: stable <stable@vger.kernel.org> # 4.14
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
Signed-off-by: Khalid Elmously <khalid.elmously@canonical.com>

drivers/android/binder.c		diff \| blob \| blame \| history
drivers/android/binder_alloc.c		diff \| blob \| blame \| history
drivers/android/binder_alloc.h		diff \| blob \| blame \| history