Received: by 2002:ac0:946b:0:0:0:0:0 with SMTP id j40csp193533imj; Thu, 14 Feb 2019 18:23:20 -0800 (PST) X-Google-Smtp-Source: AHgI3IZ6OHUBcZ62YUFf6cEeVqiyqRRtOCW2zpbwrfe3TRqu6t8UIg776pMOgUKhp2SDjP2tp6vN X-Received: by 2002:a17:902:e01:: with SMTP id 1mr7442373plw.251.1550197400439; Thu, 14 Feb 2019 18:23:20 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1550197400; cv=none; d=google.com; s=arc-20160816; b=c289ZxFeCJTbFZFDL8Xu3tH8RBzhD+S7e8YPUhgJQyegZ6/0AIZJSId7KHU4MY5SOv bVOzJJlVIFcaJLu1+H2Pv8hiGiixkgMng2mYqvx7ygYV8nY20Ryv1D60VO509eccztgV +KJNR8Z27BwKcehDMNwuX+CXTDdHEhD1ftxOQTym936m7HeSzkeqavcmHFtmr4uWhXYF cvOX/RONm2lkNOnAO+FUfWhsfA7JJFj5Y/VAuuaGvMzKlhcQdk1aYDRIHn5n9c7O8EZt 1Vn13QVV2yu1rrmA7MXjwFpNwZ64YOU8wLi26MFbNOAwKUZuWttwfZ1nwYHqt5t7gDje fp/g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from:dkim-signature; bh=Gi8084Kn3eEIKgMHpWvZVtQxWRoLiKu3wXvuwKoFSPM=; b=sqkj4ziSx+PdCuxY9HA5WiGf5MpV1l/eXQ9IT90db3phEYL+UF7hgdT7SFehY2N9uk Tewy5i142FJ6pNSxRf2GMfRb9XuGNgoVGmovt4ibCfzniS+i6cmnhxSWxApYshAKAz9k a0x6uSZO+3KC+jYll+QJHyu4GdKbt3qghNBDDI6Ri3AMFc2zQQgGQOY4OnqUwtuOghHR 8f2eG5e6S6+ogQxNoO6VHojBogRv2ZPtHNlSDbSa6jODBtaygTqb5GV6+hktzcff0hS+ UQsxWsd26XSeQ/0xvvH3uJK5TcjYhvlE+g6OxUbgrfZoIiVRKxa/9MTYNzAZRAFHQ7Ch P4fA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@android.com header.s=20161025 header.b=Wh2HGGEo; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=android.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id t10si3900189pgn.551.2019.02.14.18.23.04; Thu, 14 Feb 2019 18:23:20 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@android.com header.s=20161025 header.b=Wh2HGGEo; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=android.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728964AbfBNXXL (ORCPT + 99 others); Thu, 14 Feb 2019 18:23:11 -0500 Received: from mail-pf1-f194.google.com ([209.85.210.194]:37723 "EHLO mail-pf1-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726299AbfBNXXK (ORCPT ); Thu, 14 Feb 2019 18:23:10 -0500 Received: by mail-pf1-f194.google.com with SMTP id s22so3878709pfh.4 for ; Thu, 14 Feb 2019 15:23:10 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=android.com; s=20161025; h=from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=Gi8084Kn3eEIKgMHpWvZVtQxWRoLiKu3wXvuwKoFSPM=; b=Wh2HGGEoC2qPhdE0mvBmKVFAD5gc0UomJU4jKb9jmPCTtTJsuVA+2q11clWYPvQYZm ghH+jhkLycg4NNkSFV8D+pFje5q1UhR73ti9LVEXFJBUBvb48eF5csPaNmmvJkVuWzsW +O6ju2yrWgIYvad4DI06JwLSiH/4GLXAl5HVzC5nMICEPy3GIU/NgW13ybQ0mkZDaJ/v yLsbh4a1viWqDwGTmqpnIdDYfx2pGfyDarMbSmfp7oBT18bN8OBaqM/PtdG+lApH+E0W bJgq5+nIoGaRGnzsDQqiNhOmMKMH3wMTGogf4vhTmQolkzpMma29S7uKZ4FY5FOB2MQ0 wQNw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=Gi8084Kn3eEIKgMHpWvZVtQxWRoLiKu3wXvuwKoFSPM=; b=JYreZJXiGdO7TlqEx6mYM5YhNMA8Gpz/SVF8wWs3I66HcwBQZqulebrYNdVlgHKTHn mmz8gtTMnUs/c3hNtkgmJwlcVquriyNpQ/ipMcmbIxEl7wXrfXcyHGXZWtOzBX8uNP+K iosyCvdPzhmofv2hfN/R0nHkRfUvJZB7lvtEscK4GTAFEt9+Z5Pami3NqITkx3PdhYpP brnB0vnSPz0QjTI/vgeb2IrRhgoU65TKXr6ez7RXEvMkHiWFmmNVWwXjttqQdkLrMYEl gB9hAUCFZrCX6tDkQyeFZkYzKShaybnRhTWEt6MgcEr2ahzKAty7ahEtmSai+yEJ5/u9 tVLw== X-Gm-Message-State: AHQUAuZcQ3owanku3i8PFffPbo89Rcd03B2MIopGzyA6epeFvYYLA5Q7 Wp6T9PZ6ACPnvzl8BQ9vYgkRHw== X-Received: by 2002:a63:61c9:: with SMTP id v192mr2436919pgb.120.1550186590066; Thu, 14 Feb 2019 15:23:10 -0800 (PST) Received: from ava-linux2.mtv.corp.google.com ([2620:0:1000:1601:6cc0:d41d:b970:fd7]) by smtp.googlemail.com with ESMTPSA id k71sm8792680pga.44.2019.02.14.15.23.08 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 14 Feb 2019 15:23:09 -0800 (PST) From: Todd Kjos X-Google-Original-From: Todd Kjos To: tkjos@google.com, gregkh@linuxfoundation.org, arve@android.com, devel@driverdev.osuosl.org, linux-kernel@vger.kernel.org, maco@google.com Cc: joel@joelfernandes.org, kernel-team@android.com, syzbot+55de1eb4975dec156d8f@syzkaller.appspotmail.com Subject: [PATCH] binder: fix handling of misaligned binder object Date: Thu, 14 Feb 2019 15:22:57 -0800 Message-Id: <20190214232257.76856-1-tkjos@google.com> X-Mailer: git-send-email 2.21.0.rc0.258.g878e2cd30e-goog MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Fixes crash found by syzbot: kernel BUG at drivers/android/binder_alloc.c:LINE! (2) Reported-by: syzbot+55de1eb4975dec156d8f@syzkaller.appspotmail.com Signed-off-by: Todd Kjos --- Applies to linux-next drivers/android/binder.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/android/binder.c b/drivers/android/binder.c index 2dba539eb792c..8685882da64cd 100644 --- a/drivers/android/binder.c +++ b/drivers/android/binder.c @@ -2057,7 +2057,7 @@ static size_t binder_get_object(struct binder_proc *proc, size_t object_size = 0; read_size = min_t(size_t, sizeof(*object), buffer->data_size - offset); - if (read_size < sizeof(*hdr)) + if (read_size < sizeof(*hdr) || !IS_ALIGNED(offset, sizeof(u32))) return 0; binder_alloc_copy_from_buffer(&proc->alloc, object, buffer, offset, read_size); -- 2.21.0.rc0.258.g878e2cd30e-goog