Received: by 2002:ac0:bc90:0:0:0:0:0 with SMTP id a16csp120553img;
        Wed, 20 Mar 2019 15:37:39 -0700 (PDT)
X-Google-Smtp-Source: APXvYqyNe9tsqaP1Qt1XYV8qb2ITvb86vTmT4/aLZMxSuB3F2qLuM7ReKwc7T+PcK0d/ryMtvqVv
X-Received: by 2002:aa7:910e:: with SMTP id 14mr223772pfh.68.1553121459120;
        Wed, 20 Mar 2019 15:37:39 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1553121459; cv=none;
        d=google.com; s=arc-20160816;
        b=iSXSdb1AlqWrud7NBV2Wg0zqBd1WrAgCsi0WQB6HAmJhfn44HsLZ8VeUwdz+yMc/j3
         s39N2JTMfSKOQ7fVrUVkNdLfFKJIn5I7mRCeQVZXIQJSnKEZoD2UCM+ToRBvwdMpLC6b
         IxUysbF23fMlqZn2pdmqKGV9XKlJO+JA1veaudTCmN4qre8Y6Xs4xu9wkwCwWdBXkKYt
         4VP23dOMchKTeVttj+v5jKAD4SM+IkMD5oIkNx4IKCgtnWDVimS7X70u5x17uCLHuoAf
         BEl1V7o83+getzjqX/iu/E0G7uZOYKXQ9YDjyroOk6qP6FuWjbHTqleF3Z/BZzP11Tgz
         9Fng==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding:mime-version
         :message-id:date:subject:cc:to:from:dkim-signature;
        bh=5Fl/xNSWTIJeMsmOtW6Tu5PeoqpdSpGPlZf7MP2fGJQ=;
        b=jPu+1qd0ulnxnImIkIIZRz1rNIMrNOL5oFqPw07ssQ/PeItGJ2PDIvxpIIULzzyTqy
         IN/eFP/pXMBKMf8RnsmPTu9ipVswTKz18S0WFmajNQEb7K3LwkDM4To+8FrvTQoL1J6P
         RkJjKDpxvMflrCIqJDi5TQXTkMHurg5m7IGlG7fo1naV2gqSSrOEzmsdWc/EzrNFqUqE
         C+g/a4ZWSj0lIR9FdbgDQJ6MK/jcAOGcfSRJOX7znPfHgqOKa9eq9yK365lJte27f7V9
         3aF/X2hDI7ylTX3FWM+zxvNg8udIAuf/cC0vdXpLgoEUuPHFhFHfGYkXcJ/rapQmdQYL
         WdGA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@android.com header.s=20161025 header.b=mSpljsz8;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=android.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id b12si2833928pls.1.2019.03.20.15.37.24;
        Wed, 20 Mar 2019 15:37:39 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@android.com header.s=20161025 header.b=mSpljsz8;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=android.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1727690AbfCTWgB (ORCPT <rfc822;rao.subba.venkata@gmail.com>
        + 99 others); Wed, 20 Mar 2019 18:36:01 -0400
Received: from mail-pg1-f195.google.com ([209.85.215.195]:42635 "EHLO
        mail-pg1-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1727504AbfCTWgA (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 20 Mar 2019 18:36:00 -0400
Received: by mail-pg1-f195.google.com with SMTP id p6so2811340pgh.9
        for <linux-kernel@vger.kernel.org>; Wed, 20 Mar 2019 15:36:00 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=android.com; s=20161025;
        h=from:to:cc:subject:date:message-id:mime-version
         :content-transfer-encoding;
        bh=5Fl/xNSWTIJeMsmOtW6Tu5PeoqpdSpGPlZf7MP2fGJQ=;
        b=mSpljsz8UoqV1EPK9xZRHsn1xqd3trxsG628iroARf1poXY2+QXPR6/GUX3qpAlviB
         yuKqPaYESLsC8++rDnh0IIFNwLG2lBI2PgtFsNhOZKEqEiDuhw6ZspVOYZmkinPLnmjL
         E/UoeqvfN22ndl0rD9ejl16g83liDJUJldbDOHGN9pSEP5les5BU0bavMPQLYBsxCdbh
         KtcIhfY2QNZTtJEibl/NDikVtwuPe3t+tQQBqaOVuzf9uZsT6yMS/8uq0BLwc4LY5sTV
         iYtkU1fPVN3AlBF5lDSXDvl+Q2VLbjUz2qunmxcjAZeTe6IbXA3wAFBvUenc88a3bIdG
         cVPQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version
         :content-transfer-encoding;
        bh=5Fl/xNSWTIJeMsmOtW6Tu5PeoqpdSpGPlZf7MP2fGJQ=;
        b=LH/PS0uc2PIP+1tS2zGHnNd1e2GHuK+rctAn+UGRe2E+tgElK8+nhpHf1NI8JD1jn3
         r3xXPNGQWxIEQiFwTkykJVKiKd+ZbJcCXn4yhQzVPZuqy4FmZSHIPvr44ol5PTDkgwol
         UU+ym741oiFhirWz79DJxv04rrvRKYz/kd35BsesGzGZqaT0RaLaiVaNiA3rpdZuo9rz
         C1KggZxvzrEKAgMDq3BYG6DEQ+ANDpIH4AtJQtXTXmrTAs876BUhlExqxPBB69hyWji7
         4ctzPUgYWkramGLDtk4fNxWz8lE19rW+E1YPPYuLGvNFuYu9wbDWdwii3joldmypwZqK
         VEiw==
X-Gm-Message-State: APjAAAXnWHRj5vB2KfrzA/vT8cfEMB+3r3kYS2lsSPAw3GKrigFtga9J
        V6+4KPXcwWIs8+QQTl/5v7wJ5g==
X-Received: by 2002:a63:4962:: with SMTP id y34mr329558pgk.425.1553121360139;
        Wed, 20 Mar 2019 15:36:00 -0700 (PDT)
Received: from ava-linux2.mtv.corp.google.com ([2620:0:1000:1601:6cc0:d41d:b970:fd7])
        by smtp.googlemail.com with ESMTPSA id j8sm3675025pff.183.2019.03.20.15.35.59
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Wed, 20 Mar 2019 15:35:59 -0700 (PDT)
From:   Todd Kjos <tkjos@android.com>
X-Google-Original-From: Todd Kjos <tkjos@google.com>
To:     tkjos@google.com, gregkh@linuxfoundation.org, arve@android.com,
        devel@driverdev.osuosl.org, linux-kernel@vger.kernel.org,
        maco@google.com
Cc:     joel@joelfernandes.org, kernel-team@android.com,
        paul@paul-moore.com, selinux@vger.kernel.org
Subject: [PATCH] binder: fix BUG_ON found by selinux-testsuite
Date:   Wed, 20 Mar 2019 15:35:45 -0700
Message-Id: <20190320223545.35785-1-tkjos@google.com>
X-Mailer: git-send-email 2.21.0.225.g810b269d1ac-goog
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

The selinux-testsuite found an issue resulting in a BUG_ON()
where a conditional relied on a size_t going negative when
checking the validity of a buffer offset.

Fixes: 7a67a39320df ("binder: add function to copy binder object from buffer")
Reported-by: Paul Moore <paul@paul-moore.com>
Tested-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Todd Kjos <tkjos@google.com>
---
Please add to 5.1 (fixes problem introduced in 5.1-rc1)

 drivers/android/binder.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/drivers/android/binder.c b/drivers/android/binder.c
index 8685882da64cd..4b9c7ca492e6d 100644
--- a/drivers/android/binder.c
+++ b/drivers/android/binder.c
@@ -2057,7 +2057,8 @@ static size_t binder_get_object(struct binder_proc *proc,
 	size_t object_size = 0;
 
 	read_size = min_t(size_t, sizeof(*object), buffer->data_size - offset);
-	if (read_size < sizeof(*hdr) || !IS_ALIGNED(offset, sizeof(u32)))
+	if (offset > buffer->data_size || read_size < sizeof(*hdr) ||
+	    !IS_ALIGNED(offset, sizeof(u32)))
 		return 0;
 	binder_alloc_copy_from_buffer(&proc->alloc, object, buffer,
 				      offset, read_size);
-- 
2.21.0.225.g810b269d1ac-goog