Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp9324770imu; Wed, 5 Dec 2018 02:59:46 -0800 (PST) X-Google-Smtp-Source: AFSGD/VHUB+XZqe2C6E2gVqW/xCRytQH6kqcRu+3tznFJ7eqnoSh+CeguCbY6Knv1giD4RA3ufdo X-Received: by 2002:a63:5761:: with SMTP id h33mr20002200pgm.283.1544007586477; Wed, 05 Dec 2018 02:59:46 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1544007586; cv=none; d=google.com; s=arc-20160816; b=ilXXl0eC/i3bRJmRlIcSmno+S4lia4yMUlTnTv08vFvMd1MvsysNDDkgF+M5Td3Lpu HhMRQq9KYYdWnEZpluqHaZTnltZh1gutGSUVhurWOpAwO4Uw0U+ST/+/b1XsXh3v5X8Y 8LTiBd2M8Be73VkdsSmhp/CH5bD86sN8tjASqmPHO6GLPNQNkK3W8FevrZibTwiQFb/G OvEyyebqzyZJKPSFfx+7NXcO8o7BoqI9or1rGRWAX+38BJq/SmFcmNQIW5LmK6wK6vVF 9sTrcdM2Z1kS+p/bwkftmsjrHGUYs8GhtvzGeeUiZzwYkDdrGi0XNlCRy71NfDFL0cVX Qpcw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:dkim-signature; bh=DGnhtASosU3Kz6dB48YFZxZl1ZrR96vzbtlILyec+2M=; b=VF1LVBpBY0Kp8alo63lpbOPkHvVyEKaSZdWuc4aMrLi85kKZpsqR8secRZ9dc4Wbsy I+T4UAmPNxM8k0Rx+DJF7UT7sNWJ9S505yxSZaE3Q4xkDHTeMF4VrT8zbBNNaRN1ZtEH Cg3EnP5vogwtEkUq1yeBP9SKwz7z6Cde+DmKKherkdHGb84ubb6xbR4ZzKFBwz6fx39M 9JtxAINFQf5/gui5F1K4mRIngsLW42/OLTDXvH6uIEvFWNpGm5y1yaW8EtbM1wHYtv1s aQ2XoP1QJG53WvVuG9FrOjVaofXKz7hKRrWIXjZJP8P/uME3KzOVZ8dNVMRCzDh41J3n /nVg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=myY8cZ0D; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id e6si16546891pgd.428.2018.12.05.02.59.30; Wed, 05 Dec 2018 02:59:46 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=myY8cZ0D; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727449AbeLEK6X (ORCPT + 99 others); Wed, 5 Dec 2018 05:58:23 -0500 Received: from mail.kernel.org ([198.145.29.99]:45020 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726889AbeLEK6X (ORCPT ); Wed, 5 Dec 2018 05:58:23 -0500 Received: from localhost (5356596B.cm-6-7b.dynamic.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 5D938206B7; Wed, 5 Dec 2018 10:58:22 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1544007502; bh=cB63kHz/+DPzZewbeX+oYdJrDnnXbAGlb2RbLnSvy2o=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=myY8cZ0Dr9KEOjdPBuDsaQBrXKcpwSwOVweWEXSM9tMbTJypoK5wKnrphmi001YhF CPZ+4rHL9tmfQBuL8g9oAd/sVe0L/giptXFPaj8ulCPSCyUc/bYVVMN4TDLy+O7Rk4 T+KW2GXTmOOQ8iVtyQtmSwfytRVtsYnbRAqJPsFM= Date: Wed, 5 Dec 2018 11:58:20 +0100 From: Greg KH To: Todd Kjos Cc: tkjos@google.com, arve@android.com, devel@driverdev.osuosl.org, linux-kernel@vger.kernel.org, maco@google.com, joel@joelfernandes.org, Martijn Coenen , kernel-team@android.com, Jann Horn Subject: Re: [PATCH] binder: fix use-after-free due to fdget() optimization Message-ID: <20181205105820.GB16376@kroah.com> References: <20181203202457.228972-1-tkjos@google.com> <20181203202457.228972-4-tkjos@google.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20181203202457.228972-4-tkjos@google.com> User-Agent: Mutt/1.11.0 (2018-11-25) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Dec 03, 2018 at 12:24:57PM -0800, Todd Kjos wrote: > 44d8047f1d87a ("binder: use standard functions to allocate fds") > exposed a pre-existing issue in the binder driver. > > fdget() is used in ksys_ioctl() as a performance optimization. > One of the rules associated with fdget() is that ksys_close() must > not be called between the fdget() and the fdput(). There is a case > where this requirement is not met in the binder driver (and possibly > other drivers) which results in the reference count dropping to 0 > when the device is still in use. This can result in use-after-free > or other issues. > > This was observed with the following sequence of events: > > Task A and task B are connected via binder; task A has /dev/binder open at > file descriptor number X. Both tasks are single-threaded. > > 1. task B sends a binder message with a file descriptor array > (BINDER_TYPE_FDA) containing one file descriptor to task A > 2. task A reads the binder message with the translated file > descriptor number Y > 3. task A uses dup2(X, Y) to overwrite file descriptor Y with > the /dev/binder file > 4. task A unmaps the userspace binder memory mapping; the reference > count on task A's /dev/binder is now 2 > 5. task A closes file descriptor X; the reference count on task > A's /dev/binder is now 1 > 6. task A forks off a child, task C, duplicating the file descriptor > table; the reference count on task A's /dev/binder is now 2 > 7. task A invokes the BC_FREE_BUFFER command on file descriptor X > to release the incoming binder message > 8. fdget() in ksys_ioctl() suppresses the reference count increment, > since the file descriptor table is not shared > 9. the BC_FREE_BUFFER handler removes the file descriptor table > entry for X and decrements the reference count of task A's > /dev/binder file to 1 > 10.task C calls close(X), which drops the reference count of > task A's /dev/binder to 0 and frees it > 11.task A continues processing of the ioctl and accesses some > property of e.g. the binder_proc => KASAN-detectable UAF > > Fixed by using get_file() / fput() in binder_ioctl(). > > Suggested-by: Jann Horn > Signed-off-by: Todd Kjos > Acked-by: Martijn Coenen Shouldn't this go to 4.20-final? And have a stable@ tag? And a "Fixes:" tag? thanks, greg k-h