github-mirror/linux
1
0
Fork 0
mirror of https://github.com/torvalds/linux.git synced 2026-06-08 22:52:35 +02:00
Code Issues Actions Packages Projects Releases Wiki Activity Graph
Linux kernel source tree
800,860 Commits 1 Branch 934 Tags 20 GiB
C 97%
Assembly 1%
Shell 0.6%
Rust 0.5%
Python 0.4%
Other 0.3%
41e863e2ea
Go to file
Todd Kjos 41e863e2ea UPSTREAM: binder: fix null deref of proc->context 
commit d35d3660e0 upstream.

The binder driver makes the assumption proc->context pointer is invariant after
initialization (as documented in the kerneldoc header for struct proc).
However, in commit f0fe2c0f05 ("binder: prevent UAF for binderfs devices II")
proc->context is set to NULL during binder_deferred_release().

Another proc was in the middle of setting up a transaction to the dying
process and crashed on a NULL pointer deref on "context" which is a local
set to &proc->context:

    new_ref->data.desc = (node == context->binder_context_mgr_node) ? 0 : 1;

Here's the stack:

[ 5237.855435] Call trace:
[ 5237.855441] binder_get_ref_for_node_olocked+0x100/0x2ec
[ 5237.855446] binder_inc_ref_for_node+0x140/0x280
[ 5237.855451] binder_translate_binder+0x1d0/0x388
[ 5237.855456] binder_transaction+0x2228/0x3730
[ 5237.855461] binder_thread_write+0x640/0x25bc
[ 5237.855466] binder_ioctl_write_read+0xb0/0x464
[ 5237.855471] binder_ioctl+0x30c/0x96c
[ 5237.855477] do_vfs_ioctl+0x3e0/0x700
[ 5237.855482] __arm64_sys_ioctl+0x78/0xa4
[ 5237.855488] el0_svc_common+0xb4/0x194
[ 5237.855493] el0_svc_handler+0x74/0x98
[ 5237.855497] el0_svc+0x8/0xc

The fix is to move the kfree of the binder_device to binder_free_proc()
so the binder_device is freed when we know there are no references
remaining on the binder_proc.

Fixes: f0fe2c0f05 ("binder: prevent UAF for binderfs devices II")
Acked-by: Christian Brauner <christian.brauner@ubuntu.com>
Signed-off-by: Todd Kjos <tkjos@google.com>
Cc: stable <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20200622200715.114382-1-tkjos@google.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Change-Id: I933c938ea85889f77fb634bbed29a7cd74527dcc
2020-07-07 00:12:16 +00:00
arch Linux 4.19.131 2020-07-01 13:11:06 +02:00
block Linux 4.19.131 2020-07-01 13:11:06 +02:00
certs export.h: remove VMLINUX_SYMBOL() and VMLINUX_SYMBOL_STR() 2018-08-22 23:21:44 +09:00
crypto This is the 4.19.130 stable release 2020-06-27 09:50:13 +02:00
Documentation This is the 4.19.130 stable release 2020-06-27 09:50:13 +02:00
drivers UPSTREAM: binder: fix null deref of proc->context 2020-07-07 00:12:16 +00:00
firmware Fix built-in early-load Intel microcode alignment 2020-01-23 08:21:29 +01:00
fs Linux 4.19.131 2020-07-01 13:11:06 +02:00
include Revert "drm/dsi: Fix byte order of DCS set/get brightness" 2020-07-01 18:58:38 +00:00
init This is the 4.19.124 stable release 2020-05-20 11:37:46 +02:00
ipc Revert "ANDROID: vfs: Add permission2 for filesystems with per mount permissions" 2020-06-27 15:17:42 +02:00
kernel ANDROID: cpufreq: schedutil: maintain raw cache when next_f is not changed 2020-07-06 22:42:28 +00:00
lib ANDROID: lib/vdso: do not update timespec if clock_getres() fails 2020-06-30 05:51:06 +00:00
LICENSES LICENSES: Remove CC-BY-SA-4.0 license text 2018-10-18 11:28:50 +02:00
mm Linux 4.19.131 2020-07-01 13:11:06 +02:00
net Linux 4.19.131 2020-07-01 13:11:06 +02:00
samples This is the 4.19.126 stable release 2020-06-03 09:23:15 +02:00
scripts ANDROID: GKI: scripts: Makefile: update the lz4 command (#2) 2020-07-02 00:44:44 +00:00
security Linux 4.19.131 2020-07-01 13:11:06 +02:00
sound Linux 4.19.131 2020-07-01 13:11:06 +02:00
tools This is the 4.19.130 stable release 2020-06-27 09:50:13 +02:00
usr initramfs: restore default compression behavior 2020-04-13 10:44:59 +02:00
virt KVM: arm64: Synchronize sysreg state on injecting an AArch32 exception 2020-06-22 09:05:09 +02:00
.clang-format clang-format: Set IndentWrappedFunctionNames false 2018-08-01 18:38:51 +02:00
.cocciconfig scripts: add Linux .cocciconfig for coccinelle 2016-07-22 12:13:39 +02:00
.get_maintainer.ignore
.gitattributes .gitattributes: set git diff driver for C source code files 2016-10-07 18:46:30 -07:00
.gitignore Kbuild updates for v4.17 (2nd) 2018-04-15 17:21:30 -07:00
.mailmap libnvdimm-for-4.19_misc 2018-08-25 18:13:10 -07:00
abi_gki_aarch64_cuttlefish_whitelist ANDROID: GKI: Update cuttlefish whitelist 2020-06-26 15:46:54 +00:00
abi_gki_aarch64_qcom_whitelist ANDROID: Update the ABI xml representation 2020-07-01 18:58:46 +00:00
abi_gki_aarch64_whitelist ANDROID: GKI: Update the ABI xml and whitelist 2020-05-14 15:58:13 -07:00
abi_gki_aarch64.xml ANDROID: Update the ABI xml representation 2020-07-01 18:58:46 +00:00
build.config.aarch64 ANDROID: add compat cross compiler 2020-04-27 22:52:19 -07:00
build.config.allmodconfig ANDROID: build.config.allmodconfig: Re-enable XFS_FS 2020-04-17 08:41:31 +00:00
build.config.allmodconfig.aarch64 ANDROID: Add allmodconfig build.configs for x86_64 and aarch64 2019-11-12 20:55:23 +00:00
build.config.allmodconfig.arm ANDROID: Add build.config files for ARM 32-bit 2020-03-16 17:43:55 +00:00
build.config.allmodconfig.x86_64 ANDROID: Add allmodconfig build.configs for x86_64 and aarch64 2019-11-12 20:55:23 +00:00
build.config.arm ANDROID: Add build.config files for ARM 32-bit 2020-03-16 17:43:55 +00:00
build.config.common ANDROID: Use depmod from the hermetic toolchain 2020-06-22 12:55:38 +00:00
build.config.gki ANDROID: gki: Removed cf modules from gki_defconfig 2020-01-31 16:23:38 -08:00
build.config.gki_kasan ANDROID: Rename build.config.gki.arch_kasan 2020-05-13 15:10:51 +00:00
build.config.gki_kasan.aarch64 ANDROID: Drop ABI monitoring from KASAN build config 2020-05-13 15:11:47 +00:00
build.config.gki_kasan.x86_64 ANDROID: Rename build.config.gki.arch_kasan 2020-05-13 15:10:51 +00:00
build.config.gki-debug.aarch64 ANDROID: Fix build.config.gki-debug 2020-05-20 11:50:18 +00:00
build.config.gki-debug.x86_64 ANDROID: Fix build.config.gki-debug 2020-05-20 11:50:18 +00:00
build.config.gki.aarch64 ANDROID: build.config.gki.aarch64: Enable WHITELIST_STRICT_MODE 2020-05-07 08:12:23 +00:00
build.config.gki.x86_64 ANDROID: refactor build.config files to remove duplication 2019-10-22 18:27:12 -07:00
build.config.x86_64 ANDROID: refactor build.config files to remove duplication 2019-10-22 18:27:12 -07:00
COPYING COPYING: use the new text with points to the license files 2018-03-23 12:41:45 -06:00
CREDITS 9p: remove Ron Minnich from MAINTAINERS 2018-08-17 16:20:26 -07:00
Kbuild Kbuild updates for v4.15 2017-11-17 17:45:29 -08:00
Kconfig kconfig: move the "Executable file formats" menu to fs/Kconfig.binfmt 2018-08-02 08:06:55 +09:00
MAINTAINERS This is the 4.19.107 stable release 2020-03-03 07:33:01 +01:00
Makefile Linux 4.19.131 2020-07-01 13:11:06 +02:00
README Docs: Added a pointer to the formatted docs to README 2018-03-21 09:02:53 -06:00

README 

Linux kernel
============

There are several guides for kernel developers and users. These guides can
be rendered in a number of formats, like HTML and PDF. Please read
Documentation/admin-guide/README.rst first.

In order to build the documentation, use ``make htmldocs`` or
``make pdfdocs``.  The formatted documentation can also be read online at:

    https://www.kernel.org/doc/html/latest/

There are various text files in the Documentation/ subdirectory,
several of them using the Restructured Text markup notation.
See Documentation/00-INDEX for a list of what is contained in each file.

Please read the Documentation/process/changes.rst file, as it contains the
requirements for building and running the kernel, and information about
the problems which may result by upgrading your kernel.