rust_binder: check current before closing fds

This list gets populated once the transaction is delivered to the target process, at which point it's not touched again except in BC_FREE_BUFFER and process exit, so if the list has been populated then this code should not run in the context of the wrong userspace process. However, why tempt fate? The function itself can run in the context of both the sender and receiver, and if someone can engineer a scenario where it runs in the sender and this list is non-empty (or future Rust Binder changes make such a scenario possible), then that'd be a problem because we'd be closing random unrelated fds in the wrong process. Note that on process exit, the == comparison may actually fail because it's called from a kthread. The fd closing code is a no-op on kthreads, so there is no actual behavior different though. Suggested-by: Jann Horn <jannh@google.com> Signed-off-by: Alice Ryhl <aliceryhl@google.com> Link: https://patch.msgid.link/20260324-close-fd-check-current-v3-4-b94274bedac7@google.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2026-05-12 16:18:45 +02:00 · 2026-03-24 20:02:38 +00:00 · 2026-03-24 20:02:38 +00:00 · fc74559e2d
commit fc74559e2d
parent ed72cfffc4
1 changed files with 15 additions and 12 deletions
--- a/drivers/android/binder/allocation.rs
+++ b/drivers/android/binder/allocation.rs
@ -257,19 +257,22 @@ fn drop(&mut self) {
                }
            }

-            for &fd in &info.file_list.close_on_free {
-                let closer = match DeferredFdCloser::new(GFP_KERNEL) {
-                    Ok(closer) => closer,
-                    Err(kernel::alloc::AllocError) => {
-                        // Ignore allocation failures.
-                        break;
-                    }
-                };
+            if self.process.task == kernel::current!().group_leader() {
+                for &fd in &info.file_list.close_on_free {
+                    let closer = match DeferredFdCloser::new(GFP_KERNEL) {
+                        Ok(closer) => closer,
+                        Err(kernel::alloc::AllocError) => {
+                            // Ignore allocation failures.
+                            break;
+                        }
+                    };

-                // Here, we ignore errors. The operation can fail if the fd is not valid, or if the
-                // method is called from a kthread. However, this is always called from a syscall,
-                // so the latter case cannot happen, and we don't care about the first case.
-                let _ = closer.close_fd(fd);
+                    // Here, we ignore errors. The operation can fail if the fd is not valid, or if
+                    // the method is called from a kthread. However, this is always called from a
+                    // syscall, so the latter case cannot happen, and we don't care about the first
+                    // case.
+                    let _ = closer.close_fd(fd);
+                }
            }

            if info.clear_on_free {