Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp3504507imu; Mon, 7 Jan 2019 04:43:33 -0800 (PST) X-Google-Smtp-Source: ALg8bN7FBNEQYOTjbWLrZESo9ImhvZ814oO9BYTGjlNEkY7TCfKzU6//SHLJDZoGeoecrh+6Tw2s X-Received: by 2002:a17:902:5a4d:: with SMTP id f13mr62950935plm.49.1546865013700; Mon, 07 Jan 2019 04:43:33 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1546865013; cv=none; d=google.com; s=arc-20160816; b=NJfLZSJdPzvBMp5pwnQNH36h2jbtd7sN8xCn+XUqiIYKE7Fqy0n7twCI+RTg7Nf1DS 4PZqvDRjFTaNmGSDZUJiOJEKFU7lao5sClpm8v0m444j6ReqflYEj5OsNcfva2Cf93RN 1QVdFWlrLhffX61kOTktj3luCyuxQlVEu4JT562NGAKgC5caW4MHgVWObnMQQhNpZ+kC R/k+X0Nz7A3FOETtRFS79dP2Sf/RwONP4O1WIKITImRXNQiGfQMviePB5hUTDDw9Ecr1 hbr78O0BtsaQsPzfqPwSga4A+70TSS+jpxy7FOYjdbiWkijSYeQ+ZFxap1vTzRl4C6qW GKSA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=AQQrZGowt9Z+GHkYDcat7Kqo3VmK9sNqne3jznbUsd8=; b=bbD1Axy3d2vz+T9ReJv5mwFHnK2xMEkEhF2Be/0QuSnBi0mlVFcPeu6fhtAnWtaNFn dpH5h0sZTxltlptbUFo4wvDbPRcoiq4LddtR1m3vFdgWOC82piCQCH2TjoJiO+0KPYQB 7mqOu8rtw9BgnQ30R7vp+vHnqCeKD+uh47dNY3h9axuAqkN9Eox/uUFYNLFUdgV5CJfb N15P53Kp/HWNX8DcWMniLTNhrt70ejiRPkd/Jr/0tmbBwcHRGBUMpfnWKOZzcJXkzRnz kMbdbgEF7dwXXIa5KToGljhBI5HEbF0cnoqu9+TczJeW9O8Vuxr3h5brx1YfkIkMUXsq 6WUw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=X2JdAtzY; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id q127si8156889pfq.19.2019.01.07.04.43.18; Mon, 07 Jan 2019 04:43:33 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=X2JdAtzY; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728127AbfAGMlV (ORCPT + 99 others); Mon, 7 Jan 2019 07:41:21 -0500 Received: from mail.kernel.org ([198.145.29.99]:56442 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728103AbfAGMlT (ORCPT ); Mon, 7 Jan 2019 07:41:19 -0500 Received: from localhost (5356596B.cm-6-7b.dynamic.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id ADD682183E; Mon, 7 Jan 2019 12:41:17 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1546864878; bh=WzgQUdK71BR6aFQKtUtwSIcH1NeqJtH/Ej0VAs96O/g=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=X2JdAtzYzBvkzBs6Im9ajqowQ6ldHrGZ1WqR7uf63FaHKyw+yrmrq05stznMRMsKz w7voDD/vviSKBiXI41DVGkQJqJBQ9Em7BSz5El70S0W3hs7zJn1EU0UcsJEd+d6GPP lPgKcOmtvU8AK+Ng3ViySsJcB+0IV+tzzJpWaR1k= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Al Viro , Todd Kjos Subject: [PATCH 4.20 090/145] binder: fix use-after-free due to ksys_close() during fdget() Date: Mon, 7 Jan 2019 13:32:07 +0100 Message-Id: <20190107104448.976364882@linuxfoundation.org> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20190107104437.308206189@linuxfoundation.org> References: <20190107104437.308206189@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review X-Patchwork-Hint: ignore MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.20-stable review patch. If anyone has any objections, please let me know. ------------------ From: Todd Kjos commit 80cd795630d6526ba729a089a435bf74a57af927 upstream. 44d8047f1d8 ("binder: use standard functions to allocate fds") exposed a pre-existing issue in the binder driver. fdget() is used in ksys_ioctl() as a performance optimization. One of the rules associated with fdget() is that ksys_close() must not be called between the fdget() and the fdput(). There is a case where this requirement is not met in the binder driver which results in the reference count dropping to 0 when the device is still in use. This can result in use-after-free or other issues. If userpace has passed a file-descriptor for the binder driver using a BINDER_TYPE_FDA object, then kys_close() is called on it when handling a binder_ioctl(BC_FREE_BUFFER) command. This violates the assumptions for using fdget(). The problem is fixed by deferring the close using task_work_add(). A new variant of __close_fd() was created that returns a struct file with a reference. The fput() is deferred instead of using ksys_close(). Fixes: 44d8047f1d87a ("binder: use standard functions to allocate fds") Suggested-by: Al Viro Signed-off-by: Todd Kjos Cc: stable Signed-off-by: Greg Kroah-Hartman --- drivers/android/binder.c | 63 +++++++++++++++++++++++++++++++++++++++++++++-- fs/file.c | 29 +++++++++++++++++++++ include/linux/fdtable.h | 1 3 files changed, 91 insertions(+), 2 deletions(-) --- a/drivers/android/binder.c +++ b/drivers/android/binder.c @@ -72,6 +72,7 @@ #include #include #include +#include #include @@ -2160,6 +2161,64 @@ static bool binder_validate_fixup(struct return (fixup_offset >= last_min_offset); } +/** + * struct binder_task_work_cb - for deferred close + * + * @twork: callback_head for task work + * @fd: fd to close + * + * Structure to pass task work to be handled after + * returning from binder_ioctl() via task_work_add(). + */ +struct binder_task_work_cb { + struct callback_head twork; + struct file *file; +}; + +/** + * binder_do_fd_close() - close list of file descriptors + * @twork: callback head for task work + * + * It is not safe to call ksys_close() during the binder_ioctl() + * function if there is a chance that binder's own file descriptor + * might be closed. This is to meet the requirements for using + * fdget() (see comments for __fget_light()). Therefore use + * task_work_add() to schedule the close operation once we have + * returned from binder_ioctl(). This function is a callback + * for that mechanism and does the actual ksys_close() on the + * given file descriptor. + */ +static void binder_do_fd_close(struct callback_head *twork) +{ + struct binder_task_work_cb *twcb = container_of(twork, + struct binder_task_work_cb, twork); + + fput(twcb->file); + kfree(twcb); +} + +/** + * binder_deferred_fd_close() - schedule a close for the given file-descriptor + * @fd: file-descriptor to close + * + * See comments in binder_do_fd_close(). This function is used to schedule + * a file-descriptor to be closed after returning from binder_ioctl(). + */ +static void binder_deferred_fd_close(int fd) +{ + struct binder_task_work_cb *twcb; + + twcb = kzalloc(sizeof(*twcb), GFP_KERNEL); + if (!twcb) + return; + init_task_work(&twcb->twork, binder_do_fd_close); + __close_fd_get_file(fd, &twcb->file); + if (twcb->file) + task_work_add(current, &twcb->twork, true); + else + kfree(twcb); +} + static void binder_transaction_buffer_release(struct binder_proc *proc, struct binder_buffer *buffer, binder_size_t *failed_at) @@ -2299,7 +2358,7 @@ static void binder_transaction_buffer_re } fd_array = (u32 *)(parent_buffer + (uintptr_t)fda->parent_offset); for (fd_index = 0; fd_index < fda->num_fds; fd_index++) - ksys_close(fd_array[fd_index]); + binder_deferred_fd_close(fd_array[fd_index]); } break; default: pr_err("transaction release %d bad object type %x\n", @@ -3912,7 +3971,7 @@ static int binder_apply_fd_fixups(struct } else if (ret) { u32 *fdp = (u32 *)(t->buffer->data + fixup->offset); - ksys_close(*fdp); + binder_deferred_fd_close(*fdp); } list_del(&fixup->fixup_entry); kfree(fixup); --- a/fs/file.c +++ b/fs/file.c @@ -640,6 +640,35 @@ out_unlock: } EXPORT_SYMBOL(__close_fd); /* for ksys_close() */ +/* + * variant of __close_fd that gets a ref on the file for later fput + */ +int __close_fd_get_file(unsigned int fd, struct file **res) +{ + struct files_struct *files = current->files; + struct file *file; + struct fdtable *fdt; + + spin_lock(&files->file_lock); + fdt = files_fdtable(files); + if (fd >= fdt->max_fds) + goto out_unlock; + file = fdt->fd[fd]; + if (!file) + goto out_unlock; + rcu_assign_pointer(fdt->fd[fd], NULL); + __put_unused_fd(files, fd); + spin_unlock(&files->file_lock); + get_file(file); + *res = file; + return filp_close(file, files); + +out_unlock: + spin_unlock(&files->file_lock); + *res = NULL; + return -ENOENT; +} + void do_close_on_exec(struct files_struct *files) { unsigned i; --- a/include/linux/fdtable.h +++ b/include/linux/fdtable.h @@ -121,6 +121,7 @@ extern void __fd_install(struct files_st unsigned int fd, struct file *file); extern int __close_fd(struct files_struct *files, unsigned int fd); +extern int __close_fd_get_file(unsigned int fd, struct file **res); extern struct kmem_cache *files_cachep;