github-mirror/linux
1
0
Fork 0
mirror of https://github.com/torvalds/linux.git synced 2026-06-08 22:52:35 +02:00
Code Issues Actions Packages Projects Releases Wiki Activity Graph
cdae15d806
linux/drivers
History
Todd Kjos f75b05ac56 UPSTREAM: binder: fix UAF when releasing todo list 
When releasing a thread todo list when tearing down
a binder_proc, the following race was possible which
could result in a use-after-free:

1.  Thread 1: enter binder_release_work from binder_thread_release
2.  Thread 2: binder_update_ref_for_handle() -> binder_dec_node_ilocked()
3.  Thread 2: dec nodeA --> 0 (will free node)
4.  Thread 1: ACQ inner_proc_lock
5.  Thread 2: block on inner_proc_lock
6.  Thread 1: dequeue work (BINDER_WORK_NODE, part of nodeA)
7.  Thread 1: REL inner_proc_lock
8.  Thread 2: ACQ inner_proc_lock
9.  Thread 2: todo list cleanup, but work was already dequeued
10. Thread 2: free node
11. Thread 2: REL inner_proc_lock
12. Thread 1: deref w->type (UAF)

The problem was that for a BINDER_WORK_NODE, the binder_work element
must not be accessed after releasing the inner_proc_lock while
processing the todo list elements since another thread might be
handling a deref on the node containing the binder_work element
leading to the node being freed.

Signed-off-by: Todd Kjos <tkjos@google.com>
Link: https://lore.kernel.org/r/20201009232455.4054810-1-tkjos@google.com
Cc: <stable@vger.kernel.org> # 4.14, 4.19, 5.4, 5.8
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
(cherry picked from commit f3277cbfba)
Change-Id: I7c1bf0b74824f272664e76206c5dc3b66b9eeaff
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
2020-10-17 13:15:39 +02:00
..
accessibility
acpi This is the 4.19.149 stable release 2020-10-01 16:49:05 +02:00
amba
android UPSTREAM: binder: fix UAF when releasing todo list 2020-10-17 13:15:39 +02:00
ata ata: sata_mv, avoid trigerrable BUG_ON 2020-10-01 13:14:54 +02:00
atm atm: eni: fix the missed pci_disable_device() for eni_init_one() 2020-10-01 13:14:51 +02:00
auxdisplay
base This is the 4.19.151 stable release 2020-10-14 12:11:08 +02:00
bcma bcma: fix incorrect update of BCMA_CORE_PCI_MDIO_DATA 2020-01-27 14:51:09 +01:00
block This is the 4.19.146 stable release 2020-09-17 13:59:19 +02:00
bluetooth Bluetooth: btrtl: Use kvmalloc for FW allocations 2020-10-01 13:14:31 +02:00
bus bus: hisi_lpc: Fixup IO ports addresses to avoid use-after-free in host removal 2020-10-01 13:14:35 +02:00
cdrom
char This is the 4.19.149 stable release 2020-10-01 16:49:05 +02:00
clk This is the 4.19.150 stable release 2020-10-07 08:45:35 +02:00
clocksource This is the 4.19.149 stable release 2020-10-01 16:49:05 +02:00
connector
cpufreq This is the 4.19.149 stable release 2020-10-01 16:49:05 +02:00
cpuidle This is the 4.19.144 stable release 2020-09-09 19:48:58 +02:00
crypto This is the 4.19.152 stable release 2020-10-17 10:26:40 +02:00
dax
dca
devfreq This is the 4.19.149 stable release 2020-10-01 16:49:05 +02:00
dio
dma dmaengine: tegra-apb: Prevent race conditions on channel's freeing 2020-10-01 13:14:35 +02:00
dma-buf This is the 4.19.149 stable release 2020-10-01 16:49:05 +02:00
edac This is the 4.19.143 stable release 2020-09-03 13:19:20 +02:00
eisa
energy_model
extcon This is the 4.19.130 stable release 2020-06-27 09:50:13 +02:00
firewire
firmware This is the 4.19.149 stable release 2020-10-01 16:49:05 +02:00
fmc
fpga fpga: dfl: fix bug in port reset handshake 2020-07-29 10:16:48 +02:00
fsi fsi: sbefifo: Don't fail operations when in SBE IPL state 2020-01-27 14:51:00 +01:00
gnss This is the 4.19.129 stable release 2020-06-22 10:50:54 +02:00
gpio This is the 4.19.150 stable release 2020-10-07 08:45:35 +02:00
gpu This is the 4.19.151 stable release 2020-10-14 12:11:08 +02:00
hid This is the 4.19.146 stable release 2020-09-17 13:59:19 +02:00
hsi
hv Drivers: hv: vmbus: Add timeout to vmbus_wait_for_unload 2020-09-23 12:10:59 +02:00
hwmon This is the 4.19.144 stable release 2020-09-09 19:48:58 +02:00
hwspinlock
hwtracing This is the 4.19.140 stable release 2020-08-19 08:43:22 +02:00
i2c This is the 4.19.151 stable release 2020-10-14 12:11:08 +02:00
ide ide: serverworks: potential overflow in svwks_set_pio_mode() 2020-02-24 08:34:49 +01:00
idle
iio This is the 4.19.146 stable release 2020-09-17 13:59:19 +02:00
infiniband This is the 4.19.149 stable release 2020-10-01 16:49:05 +02:00
input This is the 4.19.150 stable release 2020-10-07 08:45:35 +02:00
iommu This is the 4.19.150 stable release 2020-10-07 08:45:35 +02:00
ipack ipack: tpci200: fix error return code in tpci200_register() 2020-05-27 17:37:43 +02:00
irqchip This is the 4.19.143 stable release 2020-09-03 13:19:20 +02:00
isdn PCI: add USR vendor id and use it in r8169 and w6692 driver 2020-06-22 09:05:23 +02:00
leds leds: mlxreg: Fix possible buffer overflow 2020-10-01 13:14:25 +02:00
lightnvm lightnvm: pblk: fix lock order in pblk_rb_tear_down_check 2020-01-27 14:50:45 +01:00
macintosh drivers/macintosh: Fix memleak in windfarm_pm112 driver 2020-06-22 09:05:29 +02:00
mailbox ANDROID: GKI: drivers: mailbox: fix race resulting in multiple message submission 2020-04-30 00:05:52 -07:00
mcb
md This is the 4.19.149 stable release 2020-10-01 16:49:05 +02:00
media This is the 4.19.152 stable release 2020-10-17 10:26:40 +02:00
memory
memstick
message scsi: mptscsih: Fix read sense data size 2020-07-16 08:17:23 +02:00
mfd mfd: mfd-core: Protect against NULL call-back function pointer 2020-10-01 13:14:26 +02:00
misc This is the 4.19.140 stable release 2020-08-19 08:43:22 +02:00
mmc This is the 4.19.151 stable release 2020-10-14 12:11:08 +02:00
mtd mtd: rawnand: sunxi: Fix the probe error path 2020-10-14 10:31:22 +02:00
mux
net This is the 4.19.152 stable release 2020-10-17 10:26:40 +02:00
nfc NFC: st95hf: Fix memleak in st95hf_in_send_cmd 2020-09-17 13:45:24 +02:00
ntb NTB: perf: Fix race condition when run with ntb_test 2020-06-25 15:33:03 +02:00
nubus
nvdimm This is the 4.19.127 stable release 2020-06-07 14:25:43 +02:00
nvme nvme-core: put ctrl ref when module ref get fail 2020-10-14 10:31:22 +02:00
nvmem This is the 4.19.128 stable release 2020-06-11 09:16:29 +02:00
of This is the 4.19.134 stable release 2020-07-22 13:03:12 +02:00
opp This is the 4.19.99 stable release 2020-01-27 15:55:44 +01:00
oprofile
parisc parisc: mask out enable and reserved bits from sba imask 2020-08-19 08:15:07 +02:00
parport
pci This is the 4.19.149 stable release 2020-10-01 16:49:05 +02:00
pcmcia
perf drivers/perf: hisi: Fix wrong value for all counters enable 2020-06-25 15:33:04 +02:00
phy phy: samsung: s5pv210-usb2: Add delay after reset 2020-10-01 13:14:44 +02:00
pinctrl pinctrl: mvebu: Fix i2c sda definition for 98DX3236 2020-10-07 08:00:07 +02:00
platform This is the 4.19.151 stable release 2020-10-14 12:11:08 +02:00
pnp
power This is the 4.19.149 stable release 2020-10-01 16:49:05 +02:00
powercap
pps
ps3
ptp
pwm This is the 4.19.141 stable release 2020-08-21 13:01:46 +02:00
rapidio rapidio: avoid data race between file operation callbacks and mport_cdev_add(). 2020-10-01 13:14:48 +02:00
ras
regulator This is the 4.19.147 stable release 2020-09-24 12:48:04 +02:00
remoteproc remoteproc: qcom: q6v5: Update running state before requesting stop 2020-08-21 11:05:34 +02:00
reset reset: uniphier: Add SCSSI reset control for each channel 2020-02-24 08:34:44 +01:00
rpmsg rpmsg: glink: Remove chunk size word align warning 2020-04-13 10:45:16 +02:00
rtc This is the 4.19.149 stable release 2020-10-01 16:49:05 +02:00
s390 s390/zcrypt: Fix ZCRYPT_PERDEV_REQCNT ioctl 2020-10-01 13:14:54 +02:00
sbus
scsi This is the 4.19.149 stable release 2020-10-01 16:49:05 +02:00
sfi
sh
siox
slimbus slimbus: core: Fix mismatch in of_node_get/put 2020-07-22 09:32:07 +02:00
sn
soc This is the 4.19.140 stable release 2020-08-19 08:43:22 +02:00
soundwire
spi This is the 4.19.150 stable release 2020-10-07 08:45:35 +02:00
spmi Revert "ANDROID: GKI: spmi: pmic-arb: don't enable SPMI_MSM_PMIC_ARB by default" 2020-05-01 19:41:44 +00:00
ssb
staging This is the 4.19.152 stable release 2020-10-17 10:26:40 +02:00
target scsi: target: iscsi: Fix hang in iscsit_access_np() when getting tpg->np_login_sem 2020-09-17 13:45:29 +02:00
tc
tee This is the 4.19.102 stable release 2020-02-05 19:20:26 +00:00
thermal This is the 4.19.149 stable release 2020-10-01 16:49:05 +02:00
thunderbolt thunderbolt: Drop duplicated get_switch_at_route() 2020-05-27 17:37:40 +02:00
tty This is the 4.19.149 stable release 2020-10-01 16:49:05 +02:00
uio uio_pdrv_genirq: fix use without device tree and no interrupt 2020-07-22 09:32:11 +02:00
usb This is the 4.19.152 stable release 2020-10-17 10:26:40 +02:00
uwb
vfio This is the 4.19.149 stable release 2020-10-01 16:49:05 +02:00
vhost This is the 4.19.150 stable release 2020-10-07 08:45:35 +02:00
video fbcon: Fix global-out-of-bounds read in fbcon_get_font() 2020-10-14 10:31:21 +02:00
virt virt: vbox: Fix guest capabilities mask check 2020-07-22 09:32:10 +02:00
virtio This is the 4.19.142 stable release 2020-08-26 11:07:03 +02:00
visorbus visorbus: fix uninitialized variable access 2020-02-24 08:34:47 +01:00
vlynq
vme vme: bridges: reduce stack usage 2020-02-24 08:34:47 +01:00
w1 w1: omap-hdq: cleanup to add missing newline for some dev_dbg 2020-06-22 09:05:30 +02:00
watchdog watchdog: initialize device before misc_register 2020-08-21 11:05:37 +02:00
xen xen/xenbus: Fix granting of vmalloc'd memory 2020-09-09 19:04:24 +02:00
zorro
Kconfig UPSTREAM: gpu/trace: add a gpu total memory usage tracepoint 2020-04-21 15:34:05 +00:00
Makefile