Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp10794166imu; Thu, 6 Dec 2018 06:56:33 -0800 (PST) X-Google-Smtp-Source: AFSGD/Xvjr0pe/xPJt5UyKHjxp7a1+TFDs9wog+Du8a1HyFqHnOTkAz9PqDA+wEy2oK49PJwbjJe X-Received: by 2002:a17:902:1102:: with SMTP id d2mr24358488pla.138.1544108193114; Thu, 06 Dec 2018 06:56:33 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1544108193; cv=none; d=google.com; s=arc-20160816; b=rGoCeqwi8yuPA1DaBDPivq0MQrWgsr10KShDmkXNaInTEsPsRxVmstrBkA46D6AFIs /digh4apls9eIkmCublo8hoC+wz85uPtBI9pERdKUqAB2XpUjcFpRv04lE/15Y46GmWO mMBiys3QEFvP0t/ZJ+FoS7znvB8t+sRjKmtTRdg/3GVADqW+b6QfdaD0YPMAcsjsTDMN LuKgDmAYcRwk/GfY0R5vwYAvfLp/9BOfWq6yX5mAwjEeBKPad7QoVP6XOmIYXRBaKSRo QxVcTi2PCZzVGPhiPMFCEiXbz/6nhFfHPF9Bd6hMG8TN9dxSvWnLozo1fukjGfwDc6wK TzEg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=Ob2E5fVjGPvySCTJBoCStoJC+C5YuEzQJVcVExeGj6c=; b=EZUXoM7H6USWFpwFtWwtZ7SMBZ+6UlhMtSlGxWo5Qyh6bNBmWCvdk2yfs3Lvl1+9wS VVJZrRctsJZ5xauya4nyCsmdWaEP0vn4zIqPWdfHZ4NfQagO3bcnrbdFV4B9UPxeMeNR eBJOLC2EvwKZdmuEidMeJI+iHygat4gbRg/DFzO0Ke+64Hwreg+mmVnq7vi0lrSxc+xm j8/5rP17Oe6gM01wJcqQFSwk4yqvx2AEB4L34KPKP9elqiPsaJzgIWw8NNqYW7Lkmuj5 /UiD0/Yr/DCtCtjr6l+Sg+OQxJ9NA5mOm8arf68QR+SUuhyqi15kzqPCcF6DwNbySiUB tx7g== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=cmRU6Bka; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id f11si389140plr.341.2018.12.06.06.56.16; Thu, 06 Dec 2018 06:56:33 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=cmRU6Bka; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726980AbeLFOyZ (ORCPT + 99 others); Thu, 6 Dec 2018 09:54:25 -0500 Received: from mail.kernel.org ([198.145.29.99]:49534 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1730926AbeLFOou (ORCPT ); Thu, 6 Dec 2018 09:44:50 -0500 Received: from localhost (5356596B.cm-6-7b.dynamic.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 2606C2082B; Thu, 6 Dec 2018 14:44:48 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1544107489; bh=n14lwEW6eQtcGZgGPAiuOCYwMTpb0Yd+oEo2Cr5Es7U=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=cmRU6Bka2Z7laTeHveIPb9g0YPloETYZoOz2B6U2bw9wfk6C+tkGzPw18WpiRQNuv 1jnIXesUT2pq1ClyHnnqs/rqTwKAv9it5WIq0X4H0r3wlCAHKxKIbXoCLeRs6wCJn3 M89pI1z9UUWGIlP3BlQxBzuaXYlvU0wej330sTxs= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Todd Kjos Subject: [PATCH 4.9 025/101] binder: fix proc->files use-after-free Date: Thu, 6 Dec 2018 15:38:24 +0100 Message-Id: <20181206143013.033685511@linuxfoundation.org> X-Mailer: git-send-email 2.19.2 In-Reply-To: <20181206143011.174892052@linuxfoundation.org> References: <20181206143011.174892052@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review X-Patchwork-Hint: ignore MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.9-stable review patch. If anyone has any objections, please let me know. ------------------ From: Todd Kjos commit 7f3dc0088b98533f17128058fac73cd8b2752ef1 upstream. proc->files cleanup is initiated by binder_vma_close. Therefore a reference on the binder_proc is not enough to prevent the files_struct from being released while the binder_proc still has a reference. This can lead to an attempt to dereference the stale pointer obtained from proc->files prior to proc->files cleanup. This has been seen once in task_get_unused_fd_flags() when __alloc_fd() is called with a stale "files". The fix is to protect proc->files with a mutex to prevent cleanup while in use. Signed-off-by: Todd Kjos Signed-off-by: Greg Kroah-Hartman --- drivers/android/binder.c | 41 +++++++++++++++++++++++++++++------------ 1 file changed, 29 insertions(+), 12 deletions(-) --- a/drivers/android/binder.c +++ b/drivers/android/binder.c @@ -302,6 +302,7 @@ struct binder_proc { struct mm_struct *vma_vm_mm; struct task_struct *tsk; struct files_struct *files; + struct mutex files_lock; struct hlist_node deferred_work_node; int deferred_work; void *buffer; @@ -375,20 +376,26 @@ binder_defer_work(struct binder_proc *pr static int task_get_unused_fd_flags(struct binder_proc *proc, int flags) { - struct files_struct *files = proc->files; unsigned long rlim_cur; unsigned long irqs; + int ret; - if (files == NULL) - return -ESRCH; - - if (!lock_task_sighand(proc->tsk, &irqs)) - return -EMFILE; - + mutex_lock(&proc->files_lock); + if (proc->files == NULL) { + ret = -ESRCH; + goto err; + } + if (!lock_task_sighand(proc->tsk, &irqs)) { + ret = -EMFILE; + goto err; + } rlim_cur = task_rlimit(proc->tsk, RLIMIT_NOFILE); unlock_task_sighand(proc->tsk, &irqs); - return __alloc_fd(files, 0, rlim_cur, flags); + ret = __alloc_fd(proc->files, 0, rlim_cur, flags); +err: + mutex_unlock(&proc->files_lock); + return ret; } /* @@ -397,8 +404,10 @@ static int task_get_unused_fd_flags(stru static void task_fd_install( struct binder_proc *proc, unsigned int fd, struct file *file) { + mutex_lock(&proc->files_lock); if (proc->files) __fd_install(proc->files, fd, file); + mutex_unlock(&proc->files_lock); } /* @@ -408,9 +417,11 @@ static long task_close_fd(struct binder_ { int retval; - if (proc->files == NULL) - return -ESRCH; - + mutex_lock(&proc->files_lock); + if (proc->files == NULL) { + retval = -ESRCH; + goto err; + } retval = __close_fd(proc->files, fd); /* can't restart close syscall because file table entry was cleared */ if (unlikely(retval == -ERESTARTSYS || @@ -418,7 +429,8 @@ static long task_close_fd(struct binder_ retval == -ERESTARTNOHAND || retval == -ERESTART_RESTARTBLOCK)) retval = -EINTR; - +err: + mutex_unlock(&proc->files_lock); return retval; } @@ -2946,7 +2958,9 @@ static int binder_mmap(struct file *filp binder_insert_free_buffer(proc, buffer); proc->free_async_space = proc->buffer_size / 2; barrier(); + mutex_lock(&proc->files_lock); proc->files = get_files_struct(current); + mutex_unlock(&proc->files_lock); proc->vma = vma; proc->vma_vm_mm = vma->vm_mm; @@ -2982,6 +2996,7 @@ static int binder_open(struct inode *nod return -ENOMEM; get_task_struct(current->group_leader); proc->tsk = current->group_leader; + mutex_init(&proc->files_lock); INIT_LIST_HEAD(&proc->todo); init_waitqueue_head(&proc->wait); proc->default_priority = task_nice(current); @@ -3220,9 +3235,11 @@ static void binder_deferred_func(struct files = NULL; if (defer & BINDER_DEFERRED_PUT_FILES) { + mutex_lock(&proc->files_lock); files = proc->files; if (files) proc->files = NULL; + mutex_unlock(&proc->files_lock); } if (defer & BINDER_DEFERRED_FLUSH)