Received: by 2002:a25:4158:0:0:0:0:0 with SMTP id o85csp1461593yba; Wed, 24 Apr 2019 23:32:06 -0700 (PDT) X-Google-Smtp-Source: APXvYqyxfEehuiA2MCGa75hwSCht9FKuuyt0dQ9i1WJjsSKqUa32Y22vbVZnTtqZe/5mjWghZktI X-Received: by 2002:a63:5057:: with SMTP id q23mr35508718pgl.30.1556173926206; Wed, 24 Apr 2019 23:32:06 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1556173926; cv=none; d=google.com; s=arc-20160816; b=DhzVIvU5mja0exvBT0WYfocClJQeFWzeZtMCQJrdVyL6qXu8J5p5KL+Vh+6LZXREgz MZg7+3MWt9usYDCPTbiavcSjlMYKVmi1x6xKIDLDaUQjlZPcCN+XP5aTsd+H2SpjqyHN YfbK8bvvirA8UCedAcGqU5XFPFbyOdfal4eCnk25wsIim5Sr3ahLhouIOa4C77XL1Onp 7z3lp8a5MRyo9Y32MTsKJXPifrXwAM/Sk/mjdd/AfNoLdEj+sLF5Gfa/RfPNMmFNhUvB N03B04wUe79JrfMXldomDNSNNyBLVym4J8KHNcCZhe85UsWmIAXOz39RznlNsVwhzARl H/6Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from:dkim-signature; bh=8JlwrEln20s9/aOucPUHK+u3UqPbgF8b6t88h882nM4=; b=pWCjrWM3bMcyvcY0hzjDpkGnnkoOWdIKJvAiqTkiJHB+hdXlE7eKhKZb9E/lfyscVI yAVxxd7zzRI9ObHqtOCxBC4AiPG4rI6C3HjwBglUeppoSM8d54ZV7LjBuNezxVekPDcG pBCTd2KgcNKciRO9nvp+s6jYV8f1r7xn2drMUECWJADYycSrorFlpglK2wE5IwaQrJ0x qe0X13tWuywswJap8wz7nNBQy+d/7/4T53zQunAVs78x/BD8BUOtV8kRz6Lm8Z1kmMQ2 tiGdjJvwZO8V+aKenGETiQNUnMqAQFd0STUDE2ndtSfOYWSFQ+pq/F83eIU6EJuFkfy0 hrzw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@android.com header.s=20161025 header.b="nId/+JzE"; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=android.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id j36si22324805plb.210.2019.04.24.23.31.50; Wed, 24 Apr 2019 23:32:06 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@android.com header.s=20161025 header.b="nId/+JzE"; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=android.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730470AbfDXTbi (ORCPT + 99 others); Wed, 24 Apr 2019 15:31:38 -0400 Received: from mail-pl1-f195.google.com ([209.85.214.195]:45461 "EHLO mail-pl1-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727018AbfDXTbh (ORCPT ); Wed, 24 Apr 2019 15:31:37 -0400 Received: by mail-pl1-f195.google.com with SMTP id o5so5451290pls.12 for ; Wed, 24 Apr 2019 12:31:37 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=android.com; s=20161025; h=from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=8JlwrEln20s9/aOucPUHK+u3UqPbgF8b6t88h882nM4=; b=nId/+JzE4bt4YU2hNBj8kFhmTRHl3qvAr81qDvsdscuXJ28cdOi7jSM8qp8FeEGl7M lu16fmXyjh2CbngAfP4d3Q7z8F9ygsVqGqpjG7+zppTJUWILFNwsjakzo1If+Rdw+bIA ts1JjQqaroNuam7nwtWJRT5ocQJGbe+8baiysmZSLh46avcQgcnlFVOgYu9jqbs7o/7n O9Rcv7AqJvZTX48mr9U/sZ2L+vL2E99bAq82zZeHcMJwaXwNFERnrG3adLVU18v4Hn4h W5au4JQb3J0vEiarKg5UnJVkiOnRm/QVhBXPyPMwXaRLHQOgYLK3PGL4/baDf+gtwlcC GsmA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=8JlwrEln20s9/aOucPUHK+u3UqPbgF8b6t88h882nM4=; b=hStTec7w6PD7AvkqIcsgKUd9PEniqGAecKkoDfCVEX0lVkAxMliXMVTAoZlrMNA4mi OShkZHFq0Eg/NWtOvr9eA0ZTyD3kzRqE3kJgTYXF0aObXREvCnaUpwkwe2WE2EzAFVXS 4xncFJWGikVEoGgQitRCkNP4I1oMNeyBTkASI2RNN0Jz5xBgOOrrtu08isv97tK2CskJ P0xGGqoTRpBzQbeDEVg5IRWiEamQ2uMstk+EOyKam32VNHS5gOepPbZCj1zhWPS9DvXd 2ys5YeKMdvatQiFkpk3YoXDGxiCuBbngKhpJs3iKV9jtLAXWbMSmqWCZvHwpgtiLVQ6F wmFA== X-Gm-Message-State: APjAAAXH6FrQ7ZJozvYEVrKGmuO5hSVhXB3DxnY/gGb1BA0wKTu9PsSN sDN3nI6GFvwJlqg6kb5G4O6VRw== X-Received: by 2002:a17:902:b948:: with SMTP id h8mr34476270pls.39.1556134297060; Wed, 24 Apr 2019 12:31:37 -0700 (PDT) Received: from ava-linux2.mtv.corp.google.com ([2620:0:1000:1601:6cc0:d41d:b970:fd7]) by smtp.googlemail.com with ESMTPSA id g2sm33331313pfd.134.2019.04.24.12.31.35 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 24 Apr 2019 12:31:36 -0700 (PDT) From: Todd Kjos X-Google-Original-From: Todd Kjos To: tkjos@google.com, gregkh@linuxfoundation.org, arve@android.com, devel@driverdev.osuosl.org, linux-kernel@vger.kernel.org, maco@google.com Cc: joel@joelfernandes.org, kernel-team@android.com Subject: [PATCH] binder: check for overflow when alloc for security context Date: Wed, 24 Apr 2019 12:31:18 -0700 Message-Id: <20190424193118.207428-1-tkjos@google.com> X-Mailer: git-send-email 2.21.0.593.g511ec345e18-goog MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org When allocating space in the target buffer for the security context, make sure the extra_buffers_size doesn't overflow. This can only happen if the given size is invalid, but an overflow can turn it into a valid size. Fail the transaction if an overflow is detected. Signed-off-by: Todd Kjos --- drivers/android/binder.c | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/drivers/android/binder.c b/drivers/android/binder.c index 4b9c7ca492e6d..6f0712f0767c5 100644 --- a/drivers/android/binder.c +++ b/drivers/android/binder.c @@ -3121,6 +3121,7 @@ static void binder_transaction(struct binder_proc *proc, if (target_node && target_node->txn_security_ctx) { u32 secid; + size_t added_size; security_task_getsecid(proc->tsk, &secid); ret = security_secid_to_secctx(secid, &secctx, &secctx_sz); @@ -3130,7 +3131,15 @@ static void binder_transaction(struct binder_proc *proc, return_error_line = __LINE__; goto err_get_secctx_failed; } - extra_buffers_size += ALIGN(secctx_sz, sizeof(u64)); + added_size = ALIGN(secctx_sz, sizeof(u64)); + extra_buffers_size += added_size; + if (extra_buffers_size < added_size) { + /* integer overflow of extra_buffers_size */ + return_error = BR_FAILED_REPLY; + return_error_param = EINVAL; + return_error_line = __LINE__; + goto err_bad_extra_size; + } } trace_binder_transaction(reply, t, target_node); @@ -3480,6 +3489,7 @@ static void binder_transaction(struct binder_proc *proc, t->buffer->transaction = NULL; binder_alloc_free_buf(&target_proc->alloc, t->buffer); err_binder_alloc_buf_failed: +err_bad_extra_size: if (secctx) security_release_secctx(secctx, secctx_sz); err_get_secctx_failed: -- 2.21.0.593.g511ec345e18-goog