Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp685973imu; Fri, 9 Nov 2018 04:32:45 -0800 (PST) X-Google-Smtp-Source: AJdET5d8cvFJsCb+NVrF7ASk/pCaXlO+D3D5vu6Vdb9Y2F6tvDZ6eTyWDXL6DmWwn3lsr2yauLgB X-Received: by 2002:a17:902:274a:: with SMTP id j10-v6mr6793307plg.312.1541766765790; Fri, 09 Nov 2018 04:32:45 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1541766765; cv=none; d=google.com; s=arc-20160816; b=sSJUcNsyIQoMY2nUhnZmCBTGCKV2d03A9SjQi0KsgQ/jd027vYJsmpV9yIWpwaCQo5 v7TTM7mx83trAovciwQ8+j31JBsV/qYm+Jn6AtTcunGV2R7rv7/KRiIH7gZckylqVQEw T4Z6rRz+OYUNhAmoS/aFzDMomZgBheU/c9hNgO96SQXOlLhw9sQBH3EdeG8QG13ZmoNy biITh5O/oKpWoe4BsnWjdhr9EJE8q1mYiXQIUrqKmTHi+kCPDguH2NlF20zwjCGN4o+t f78Jt0HRPKYEcmtYEOjmujC5h42ndpagXp2THgFVHOQVtnKDG0ybh2kK2Ae4uHcAIVwC Fi+A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-transfer-encoding:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature; bh=PSkdH/LyHUcxFmZFWJf3E+OiiNp8eODsAKvY3fk2pio=; b=hIXYcasYBLZA/L7QQaXfuqHazGMRQHS1JK8cC5y6QL+yUlq6MI51PoCoAr5kgnuNu9 sNonJHqp2Nk+PtQ0ERehY3pLKaSTHlBr9+xLanG30gv7Jfz3/BkhXiAg2WTjgqztemFE wrsEWOXEko+tKciyKNmt/6LShpO9fdzI3l+rXfF0hmyxaVyKvGLa7+iaz/JHz32lJlW9 s9xR6NIBrvLvutryjXqimcH8XlSIDMXb4dQWLd9/b2UYg81ixKQV4uK0GwzDz+2mX4w6 dZU8jpqK4CNH5xFWbfbKGexiscjp5OsHnvg3Zje1vj3HLekRwrY40fr/BDrdjPbgyTyt PKSA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=gVHNAKXj; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id k21-v6si6338726pgl.169.2018.11.09.04.32.26; Fri, 09 Nov 2018 04:32:45 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=gVHNAKXj; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727818AbeKIWMa (ORCPT + 99 others); Fri, 9 Nov 2018 17:12:30 -0500 Received: from mail.kernel.org ([198.145.29.99]:41988 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727560AbeKIWMa (ORCPT ); Fri, 9 Nov 2018 17:12:30 -0500 Received: from localhost (71-6-98-120.static-ip.telepacific.net [71.6.98.120]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id D8FD520825; Fri, 9 Nov 2018 12:32:04 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1541766725; bh=6p1FuJ58l+NxYdK9mbi5fh7H7aG/ZVSWix+1xuRR+9s=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=gVHNAKXjIJ7uCRdDUWuzJ1YcFgfHjOZrhmH7p5UI2mPMDbU5HyAxxpGFtBFfOtAMV 3+bJTUE1xTQQl8kzZkbKus34Ghv0+u3EX/ghpJUQS+jnO4YknVDJnFvXN2xruXE3lF CYTR3uUCBdFCTGk7eX6kMy4F5tg9bkXB88n9lL34= Date: Fri, 9 Nov 2018 04:32:04 -0800 From: Greg KH To: Todd Kjos Cc: tkjos@google.com, arve@android.com, devel@driverdev.osuosl.org, linux-kernel@vger.kernel.org, maco@google.com, stable@vger.kernel.org, kernel-team@android.com Subject: Re: [PATCH] binder: fix race that allows malicious free of live buffer Message-ID: <20181109123204.GA11583@kroah.com> References: <20181106235532.171646-1-tkjos@google.com> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <20181106235532.171646-1-tkjos@google.com> User-Agent: Mutt/1.10.1 (2018-07-13) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Nov 06, 2018 at 03:55:32PM -0800, Todd Kjos wrote: > Malicious code can attempt to free buffers using the > BC_FREE_BUFFER ioctl to binder. There are protections > against a user freeing a buffer while in use by the > kernel, however there was a window where BC_FREE_BUFFER > could be used to free a recently allocated buffer that > was not completely initialized. This resulted in a > use-after-free detected by KASAN with a malicious > test program. > > This window is closed by setting the buffer's > allow_user_free attribute to 0 when the buffer > is allocated or when the user has previously > freed it instead of waiting for the caller > to set it. The problem was that when the struct > buffer was recycled, allow_user_free was stale > and set to 1 allowing a free to go through. > > Signed-off-by: Todd Kjos > Acked-by: Arve Hj?nnev?g No "stable" tag here? Any idea how far back the stable backporting should go, if any? thanks, greg k-h