Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp940946imu; Fri, 9 Nov 2018 08:25:55 -0800 (PST) X-Google-Smtp-Source: AJdET5cV/Knu54Ci6xMsSrnxShCumwolzOhOHkC1zyCr/pEjTe1dH4QbWo90Q7iZhzdrmerBEISe X-Received: by 2002:a62:d148:: with SMTP id t8-v6mr9574406pfl.212.1541780755769; Fri, 09 Nov 2018 08:25:55 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1541780755; cv=none; d=google.com; s=arc-20160816; b=EOoXa+zR5FGR5SHnW5afdf06lh+liX9SuR893pG++bUwjve97i++LEEGFZzOHME9n5 4YVaapwEbzlOOIOl/F3UsA0QqdKh0QKvmkuB7ma7VGniK24NAk74ybA5GIA+IcUngOa+ 7Qdt+ABVoqHZ0fXYI2+k4f16jL+9BAB6zER4AQkYvbLWoFtvGTsBnBFhDmI/c5c2qjl/ zu1N46GjzK0peOfHGbvvLOUPN6HZyVZHg/iVXpbCkS/98emdLJ0eM/cOLku1sb6PN6U8 BCVxlzDWPEyKh8i50kqKQtWgpmcX5+zeFe0WotugullOc66+2LuR8hkduOH5hBHaZM5w lwlg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:cc:to:subject :message-id:date:from:in-reply-to:references:mime-version :dkim-signature; bh=A/yPq2X7AyccJgTcL0VX7V70idY2rklOuaf5NWHei4U=; b=NyLXx/xOi3XlAvETJQYQ7dOjCrHJUL2UEWZS3lL7btzESUpwPC+ESwmcM7JFspzRHr M6vKx1J8O/noRaHvyKc5mHb9hixak2OzNqtLl57ic2nd/P/kRYAPuhFf2XdwLutAjaX+ Jp5S7LM68/v2T83mREoSoI9vbwCo9f8yciM2KkadcRw7qtHvHpUdLTR+FNyv0z1n0d3o xLMzgfKsTjVZ95ThMVQ6JvVgvfRyJefWV2Tb1rVe9QU1MkBlLjaXpVUT3ZPjySeZKMMj YeyY/9XfsEEP5rZ6QXaXDKipoB/4a+zTiBJJJDDcPNA0VkAXEgvJgb33wm8l3HacFU7p 2p6g== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b="EWJ/8YJs"; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id f4-v6si9390274plm.393.2018.11.09.08.25.30; Fri, 09 Nov 2018 08:25:55 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b="EWJ/8YJs"; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728476AbeKJCEP (ORCPT + 99 others); Fri, 9 Nov 2018 21:04:15 -0500 Received: from mail-lf1-f66.google.com ([209.85.167.66]:43614 "EHLO mail-lf1-f66.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728026AbeKJCEO (ORCPT ); Fri, 9 Nov 2018 21:04:14 -0500 Received: by mail-lf1-f66.google.com with SMTP id u18so1728129lff.10 for ; Fri, 09 Nov 2018 08:22:58 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=A/yPq2X7AyccJgTcL0VX7V70idY2rklOuaf5NWHei4U=; b=EWJ/8YJs7bVEDjw6K+9Ln82XEmX0bm0pb8kKZ/59P0cvq146f0+LKi2jRQQsZPndR6 P++oykVYlzqB7VBFIHmXE28NSZSiF6gT0/1RL8PTrh1AFJ1ZXqTwILMuDXE8aHRiW2PJ jT20HyUquseedgnvoCyK5MQPTo+WZHVy8u/SjxkwZegTFTQAgiVqkDS1fsrJ9KrVGHuC anVPV8Pt5wIAPKVm2fMLm6XT2L2v01LmrFXvnzEVL9MGV86Y3FuhyBAP0vOmS7eHYaa3 ATuKzU27/GrYfSHN1nn/YJRSakxiv4m3EP4Ql7DSsPQ9jrk8gn8lK24fZGczeTG+o8fk 6iKg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=A/yPq2X7AyccJgTcL0VX7V70idY2rklOuaf5NWHei4U=; b=Qt8o459u9IHxWzdu8DmsUiUpSBF/WHwJaxL2cUI3SbeN44Xx63/7r7pFAE+PU0b2PQ gHJ3hNykuqA/04CA1PvTm/2fF4z0b6i/N5MRolJQ6XHfnjOEjaq3HspvRUaCiaNm21iG MXhzxNY2fGH6/nZwMklR455gxMXJKC1j1/uX+66aCdD7aMwJ46T7XzLVxj2RgqNudz0M gEX6bXEWDg0UeHR8UB13iUWlUsp+j/hw28OCm3jIuak/w0IttmAHoz7Ptf1HQY/lUhIv 5bixdS71BQqcLSv8WBbYlN9hGf/qnd/Ii66qknfCrD2kUdUYC5Zy5Lyln1ryJIUZ0MgR wsOw== X-Gm-Message-State: AGRZ1gJvhlYpNGI8YjoJul2A0xvvfpgQOB+p2wYul/uVel1q4H9DnK1V A9D7gh8IHZx1MG3Idb3bIANC7woo40Hcfz9vofPw+Q== X-Received: by 2002:a19:1cb:: with SMTP id 194mr5803999lfb.61.1541780577011; Fri, 09 Nov 2018 08:22:57 -0800 (PST) MIME-Version: 1.0 References: <20181106235532.171646-1-tkjos@google.com> <20181109123204.GA11583@kroah.com> In-Reply-To: <20181109123204.GA11583@kroah.com> From: Todd Kjos Date: Fri, 9 Nov 2018 08:22:44 -0800 Message-ID: Subject: Re: [PATCH] binder: fix race that allows malicious free of live buffer To: Greg Kroah-Hartman Cc: Todd Kjos , =?UTF-8?B?QXJ2ZSBIasO4bm5ldsOlZw==?= , "open list:ANDROID DRIVERS" , LKML , Martijn Coenen , stable@vger.kernel.org, kernel-team@android.com Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, Nov 9, 2018 at 4:32 AM Greg KH wrote: > > On Tue, Nov 06, 2018 at 03:55:32PM -0800, Todd Kjos wrote: > > Malicious code can attempt to free buffers using the > > BC_FREE_BUFFER ioctl to binder. There are protections > > against a user freeing a buffer while in use by the > > kernel, however there was a window where BC_FREE_BUFFER > > could be used to free a recently allocated buffer that > > was not completely initialized. This resulted in a > > use-after-free detected by KASAN with a malicious > > test program. > > > > This window is closed by setting the buffer's > > allow_user_free attribute to 0 when the buffer > > is allocated or when the user has previously > > freed it instead of waiting for the caller > > to set it. The problem was that when the struct > > buffer was recycled, allow_user_free was stale > > and set to 1 allowing a free to go through. > > > > Signed-off-by: Todd Kjos > > Acked-by: Arve Hj=C3=B8nnev=C3=A5g > > No "stable" tag here? Any idea how far back the stable backporting > should go, if any? Sorry about that. It should be backported to 4.14 and later. > > thanks, > > greg k-h