forge/linux-uconsole
1
0
Fork 0
Code Issues 1 Pull requests Projects Releases Packages Wiki Activity Actions
linux-uconsole/drivers
History
Todd Kjos 41e863e2ea UPSTREAM: binder: fix null deref of proc->context 
commit d35d3660e0 upstream.

The binder driver makes the assumption proc->context pointer is invariant after
initialization (as documented in the kerneldoc header for struct proc).
However, in commit f0fe2c0f05 ("binder: prevent UAF for binderfs devices II")
proc->context is set to NULL during binder_deferred_release().

Another proc was in the middle of setting up a transaction to the dying
process and crashed on a NULL pointer deref on "context" which is a local
set to &proc->context:

    new_ref->data.desc = (node == context->binder_context_mgr_node) ? 0 : 1;

Here's the stack:

[ 5237.855435] Call trace:
[ 5237.855441] binder_get_ref_for_node_olocked+0x100/0x2ec
[ 5237.855446] binder_inc_ref_for_node+0x140/0x280
[ 5237.855451] binder_translate_binder+0x1d0/0x388
[ 5237.855456] binder_transaction+0x2228/0x3730
[ 5237.855461] binder_thread_write+0x640/0x25bc
[ 5237.855466] binder_ioctl_write_read+0xb0/0x464
[ 5237.855471] binder_ioctl+0x30c/0x96c
[ 5237.855477] do_vfs_ioctl+0x3e0/0x700
[ 5237.855482] __arm64_sys_ioctl+0x78/0xa4
[ 5237.855488] el0_svc_common+0xb4/0x194
[ 5237.855493] el0_svc_handler+0x74/0x98
[ 5237.855497] el0_svc+0x8/0xc

The fix is to move the kfree of the binder_device to binder_free_proc()
so the binder_device is freed when we know there are no references
remaining on the binder_proc.

Fixes: f0fe2c0f05 ("binder: prevent UAF for binderfs devices II")
Acked-by: Christian Brauner <christian.brauner@ubuntu.com>
Signed-off-by: Todd Kjos <tkjos@google.com>
Cc: stable <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20200622200715.114382-1-tkjos@google.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Change-Id: I933c938ea85889f77fb634bbed29a7cd74527dcc
2020-07-07 00:12:16 +00:00
..
accessibility
acpi Linux 4.19.131 2020-07-01 13:11:06 +02:00
amba
android UPSTREAM: binder: fix null deref of proc->context 2020-07-07 00:12:16 +00:00
ata ata/libata: Fix usage of page address by page_address in ata_scsi_mode_select_xlat function 2020-06-30 23:17:13 -04:00
atm fore200e: Fix incorrect checks of NULL pointer dereference 2020-02-24 08:34:42 +01:00
auxdisplay
base Linux 4.19.131 2020-07-01 13:11:06 +02:00
bcma bcma: fix incorrect update of BCMA_CORE_PCI_MDIO_DATA 2020-01-27 14:51:09 +01:00
block Linux 4.19.131 2020-07-01 13:11:06 +02:00
bluetooth Bluetooth: hci_bcm: fix freeing not-requested IRQ 2020-06-22 09:05:26 +02:00
bus bus: sunxi-rsb: Return correct data when mixing 16-bit and 8-bit reads 2020-04-17 10:48:37 +02:00
cdrom
char Linux 4.19.131 2020-07-01 13:11:06 +02:00
clk This is the 4.19.130 stable release 2020-06-27 09:50:13 +02:00
clocksource This is the 4.19.129 stable release 2020-06-22 10:50:54 +02:00
connector
cpufreq This is the 4.19.124 stable release 2020-05-20 11:37:46 +02:00
cpuidle This is the 4.19.129 stable release 2020-06-22 10:50:54 +02:00
crypto This is the 4.19.130 stable release 2020-06-27 09:50:13 +02:00
dax
dca
devfreq FROMLIST: PM / devfreq: Restart previous governor if new governor fails to start 2020-05-02 00:07:05 -07:00
dio
dma PCI: Move Rohm Vendor ID to generic list 2020-06-22 09:05:23 +02:00
dma-buf FROMLIST: dma-buf: add support for virtio exported objects 2020-04-18 08:26:02 +00:00
edac Linux 4.19.131 2020-07-01 13:11:06 +02:00
eisa
energy_model
extcon This is the 4.19.130 stable release 2020-06-27 09:50:13 +02:00
firewire
firmware Linux 4.19.131 2020-07-01 13:11:06 +02:00
fmc
fpga fpga: dfl: afu: Corrected error handling levels 2020-06-25 15:32:58 +02:00
fsi fsi: sbefifo: Don't fail operations when in SBE IPL state 2020-01-27 14:51:00 +01:00
gnss This is the 4.19.129 stable release 2020-06-22 10:50:54 +02:00
gpio This is the 4.19.130 stable release 2020-06-27 09:50:13 +02:00
gpu Revert "drm/dsi: Fix byte order of DCS set/get brightness" 2020-07-01 18:58:38 +00:00
hid This is the 4.19.130 stable release 2020-06-27 09:50:13 +02:00
hsi
hv x86/Hyper-V: Report crash data in die() when panic_on_oops is set 2020-04-23 10:30:17 +02:00
hwmon This is the 4.19.129 stable release 2020-06-22 10:50:54 +02:00
hwspinlock
hwtracing UPSTREAM: coresight: Potential uninitialized variable in probe() 2020-03-27 02:11:00 +00:00
i2c Linux 4.19.131 2020-07-01 13:11:06 +02:00
ide ide: serverworks: potential overflow in svwks_set_pio_mode() 2020-02-24 08:34:49 +01:00
idle
iio This is the 4.19.130 stable release 2020-06-27 09:50:13 +02:00
infiniband Linux 4.19.131 2020-07-01 13:11:06 +02:00
input This is the 4.19.129 stable release 2020-06-22 10:50:54 +02:00
iommu This is the 4.19.126 stable release 2020-06-03 09:23:15 +02:00
ipack ipack: tpci200: fix error return code in tpci200_register() 2020-05-27 17:37:43 +02:00
irqchip This is the 4.19.118 stable release 2020-04-23 11:07:54 +02:00
isdn PCI: add USR vendor id and use it in r8169 and w6692 driver 2020-06-22 09:05:23 +02:00
leds leds: pca963x: Fix open-drain initialization 2020-02-24 08:34:35 +01:00
lightnvm
macintosh drivers/macintosh: Fix memleak in windfarm_pm112 driver 2020-06-22 09:05:29 +02:00
mailbox ANDROID: GKI: drivers: mailbox: fix race resulting in multiple message submission 2020-04-30 00:05:52 -07:00
mcb
md Linux 4.19.131 2020-07-01 13:11:06 +02:00
media This is the 4.19.129 stable release 2020-06-22 10:50:54 +02:00
memory
memstick
message
mfd mfd: wm8994: Fix driver operation if loaded as modules 2020-06-25 15:32:50 +02:00
misc This is the 4.19.129 stable release 2020-06-22 10:50:54 +02:00
mmc This is the 4.19.129 stable release 2020-06-22 10:50:54 +02:00
mtd mtd: rawnand: marvell: Fix the condition on a return code 2020-06-30 23:17:00 -04:00
mux
net Linux 4.19.131 2020-07-01 13:11:06 +02:00
nfc NFC: st21nfca: add missed kfree_skb() in an error path 2020-06-10 21:34:59 +02:00
ntb NTB: perf: Fix race condition when run with ntb_test 2020-06-25 15:33:03 +02:00
nubus
nvdimm This is the 4.19.127 stable release 2020-06-07 14:25:43 +02:00
nvme nvme: refine the Qemu Identify CNS quirk 2020-06-22 09:05:16 +02:00
nvmem This is the 4.19.128 stable release 2020-06-11 09:16:29 +02:00
of This is the 4.19.130 stable release 2020-06-27 09:50:13 +02:00
opp This is the 4.19.99 stable release 2020-01-27 15:55:44 +01:00
oprofile
parisc
parport
pci This is the 4.19.130 stable release 2020-06-27 09:50:13 +02:00
pcmcia
perf drivers/perf: hisi: Fix wrong value for all counters enable 2020-06-25 15:33:04 +02:00
phy phy: mapphone-mdm6600: Fix write timeouts with shorter GPIO toggle interval 2020-03-11 14:15:10 +01:00
pinctrl pinctrl: freescale: imx: Fix an error handling path in 'imx_pinctrl_probe()' 2020-06-25 15:33:01 +02:00
platform This is the 4.19.129 stable release 2020-06-22 10:50:54 +02:00
pnp
power This is the 4.19.130 stable release 2020-06-27 09:50:13 +02:00
powercap
pps
ps3
ptp
pwm This is the 4.19.130 stable release 2020-06-27 09:50:13 +02:00
rapidio rapidio: fix an error in get_user_pages_fast() error handling 2020-05-27 17:37:43 +02:00
ras
regulator Linux 4.19.131 2020-07-01 13:11:06 +02:00
remoteproc remoteproc: Fix IDR initialisation in rproc_alloc() 2020-06-25 15:32:47 +02:00
reset reset: uniphier: Add SCSSI reset control for each channel 2020-02-24 08:34:44 +01:00
rpmsg rpmsg: glink: Remove chunk size word align warning 2020-04-13 10:45:16 +02:00
rtc ANDROID: rtc: class: call hctosys in resource managed registration 2020-05-19 12:15:22 -07:00
s390 scsi: zfcp: Fix panic on ERP timeout for previously dismissed ERP action 2020-06-30 23:17:08 -04:00
sbus
scsi This is the 4.19.130 stable release 2020-06-27 09:50:13 +02:00
sfi
sh
siox
slimbus slimbus: ngd: get drvdata from correct device 2020-06-25 15:32:54 +02:00
sn
soc This is the 4.19.118 stable release 2020-04-23 11:07:54 +02:00
soundwire
spi This is the 4.19.129 stable release 2020-06-22 10:50:54 +02:00
spmi Revert "ANDROID: GKI: spmi: pmic-arb: don't enable SPMI_MSM_PMIC_ARB by default" 2020-05-01 19:41:44 +00:00
ssb
staging Linux 4.19.131 2020-07-01 13:11:06 +02:00
target scsi: target: tcmu: Fix a use after free in tcmu_check_expired_queue_cmd() 2020-06-25 15:32:59 +02:00
tc
tee This is the 4.19.102 stable release 2020-02-05 19:20:26 +00:00
thermal This is the 4.19.130 stable release 2020-06-27 09:50:13 +02:00
thunderbolt thunderbolt: Drop duplicated get_switch_at_route() 2020-05-27 17:37:40 +02:00
tty Linux 4.19.131 2020-07-01 13:11:06 +02:00
uio uio: fix a sleep-in-atomic-context bug in uio_dmem_genirq_irqcontrol() 2020-02-24 08:34:37 +01:00
usb UPSTREAM: usb: musb: mediatek: add reset FADDR to zero in reset interrupt handle 2020-07-02 12:30:56 +00:00
uwb
vfio This is the 4.19.130 stable release 2020-06-27 09:50:13 +02:00
vhost This is the 4.19.125 stable release 2020-05-28 12:20:07 +02:00
video backlight: lp855x: Ensure regulators are disabled on probe failure 2020-06-25 15:32:48 +02:00
virt
virtio ANDROID: Re-add default y for VIRTIO_PCI_LEGACY 2020-03-03 23:28:01 +00:00
visorbus visorbus: fix uninitialized variable access 2020-02-24 08:34:47 +01:00
vlynq
vme vme: bridges: reduce stack usage 2020-02-24 08:34:47 +01:00
w1 w1: omap-hdq: cleanup to add missing newline for some dev_dbg 2020-06-22 09:05:30 +02:00
watchdog watchdog: da9062: No need to ping manually before setting timeout 2020-06-25 15:32:58 +02:00
xen xen/pvcalls-back: test for errors when calling backend_connect() 2020-06-22 09:05:09 +02:00
zorro
Kconfig UPSTREAM: gpu/trace: add a gpu total memory usage tracepoint 2020-04-21 15:34:05 +00:00
Makefile