Received: by 2002:a25:ad19:0:0:0:0:0 with SMTP id y25csp4647068ybi; Mon, 15 Jul 2019 12:19:57 -0700 (PDT) X-Google-Smtp-Source: APXvYqyO1lTBXy0B/c9p2kcNZNGinQbivX8vPT63/KcesXH6ZKCe82iaJf+dEPMYyNGi/IJ4PbWS X-Received: by 2002:a17:90a:1785:: with SMTP id q5mr30830742pja.106.1563218397740; Mon, 15 Jul 2019 12:19:57 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1563218397; cv=none; d=google.com; s=arc-20160816; b=wVu07dxHse4rWCz2UOrArNeXrNvSJesfSt2LMuwLwwVRnkFJ1Dt6lYEuDy6CPfjX/T Ga6BFddeXMzg9P4LnpfYFqcgAyvlShUIiaR9PB4GBGbqCYze4GLAaXkWcl0EyKajRtFi U1URzeqeqJ7brRS9wrX6Enzb/egxxFcHzPYb3w/syyT8Uf9nrOqOizyDHTVSz3GA+F2t iuq95N51CJ4AX+M9isv1+r6k3HR8v0DjIBaFNlvtVBZq/VNx4m+VnGTBErmkvOq24a/R IlikBl/7JdXzh0wZ0usBkV2HTkazRHjE+8mnuFQeQ4NMYz+nSEeuAbGu3hJHoAOMBxXB 3Ysg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:from:subject:mime-version :message-id:date:dkim-signature; bh=UrmHiwd7l9RTQPWRIFMpdG4iVBmNxjeLn/aT+hZa6RI=; b=yBkI0lmPQfgmEH7fnFzBzdXMC8yssDIUolijUIfApE3/RPxLYPkthxV/xTb6XpoWTf 1i1Smdim6JE/28J078PGCFdFW8ramsYegl2vt+XN7O1XJ6umoRiMSBNFH0ui/jZ6OQdz eH8MXhOy1D07J8BFOBXCWWL/O0sxISSA154W/T83mAFU50xAYbGTyX2prB6psdwfGbh7 Ps42k9hvJ8EkfxA4o0UaS6ctaRSzn0s9lH5DVbZbwImlmimY3JP88L3HKkX5LStFXSP6 SgLL2qnNKO3inG6z+EosPRW9DdlHbQayuYkDdfAOWu9VU/J6msTIbOYoDLSDGQGmhfEH lJig== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=Mxa6wWDj; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id u123si13358233pgb.12.2019.07.15.12.19.39; Mon, 15 Jul 2019 12:19:57 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=Mxa6wWDj; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730300AbfGOTSm (ORCPT + 99 others); Mon, 15 Jul 2019 15:18:42 -0400 Received: from mail-pg1-f201.google.com ([209.85.215.201]:41611 "EHLO mail-pg1-f201.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729432AbfGOTSm (ORCPT ); Mon, 15 Jul 2019 15:18:42 -0400 Received: by mail-pg1-f201.google.com with SMTP id b18so11047521pgg.8 for ; Mon, 15 Jul 2019 12:18:42 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:message-id:mime-version:subject:from:to:cc; bh=UrmHiwd7l9RTQPWRIFMpdG4iVBmNxjeLn/aT+hZa6RI=; b=Mxa6wWDjygyjXJJ3zd1w415IKp2A7JgcpMt/VNTgr5UQNXhkE9XOpO9loxlWAT7L53 9nsh50Xu+sd34VgfjB1/O10CHb8yTgOFUlPHKS3oNNKcD5kkmZYk5ZeompxkMj/BAr9p HlQNp8QzZ2AY6XmGwhcSNkpZxLNERVgH9CkTBxol9C0CEpUspfmJiAAiot2UJXTAZm9O IUrRXKtK9DdqnSWzBnIRktqIk1RO69PXYq9fqoA6JldUaV/uoA3YIUjn4ygJEKrd/AJW clZfNW3nadwEb/uQF1braPjBGw2llxQlK/ZLZH+Xdk/WAekt4Au5WL6Spo3yaHok5C55 144A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:message-id:mime-version:subject:from:to:cc; bh=UrmHiwd7l9RTQPWRIFMpdG4iVBmNxjeLn/aT+hZa6RI=; b=Ww6UXfXAS+5yjthcPYhZlNlXAL3ziL9EH2jrKQ5AEHCLwwLL8CvVhSBXFu58/Ik+az DRvzUL0gtDdRqp/S7ePljNjL10Y7w/7ZAbP4bIJk7xNHOOS/TDwu4PkCcTEVpZf+bpDn Wrf8AIoEVD/zq+emO5OlkjKbMQOHqSHBYSX2EXZ87qAsy10TjeciG2DtfEZrc7p7I7la 1Q4050JCy4ENyTa5omLuKZn/nVx9R0qd1mwOqVS+7x23ZDiSFnyB/u9t4KSkGe0XJ6gg MxLV9zUZbJUjGz0QY0hctIwnpuVBEcjiBW9qoZkdjOZDT4zVONE+EoZOvOhWN4534fep pr9w== X-Gm-Message-State: APjAAAVTx17EmyF3gF4DsNmiXgpr5kRQhzsb9vR0HPK4YPgUgTETsPhg Ks05EQozqXFe73BDtLaEqIDzyPcgWxM= X-Received: by 2002:a63:f346:: with SMTP id t6mr29578283pgj.203.1563218321271; Mon, 15 Jul 2019 12:18:41 -0700 (PDT) Date: Mon, 15 Jul 2019 12:18:04 -0700 Message-Id: <20190715191804.112933-1-hridya@google.com> Mime-Version: 1.0 X-Mailer: git-send-email 2.22.0.510.g264f2c817a-goog Subject: [PATCH] binder: prevent transactions to context manager from its own process. From: Hridya Valsaraju To: Greg Kroah-Hartman , "=?UTF-8?q?Arve=20Hj=C3=B8nnev=C3=A5g?=" , Todd Kjos , Martijn Coenen , Joel Fernandes , Christian Brauner , devel@driverdev.osuosl.org, linux-kernel@vger.kernel.org Cc: kernel-team@android.com, Hridya Valsaraju , syzbot+8b3c354d33c4ac78bfad@syzkaller.appspotmail.com Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Currently, a transaction to context manager from its own process is prevented by checking if its binder_proc struct is the same as that of the sender. However, this would not catch cases where the process opens the binder device again and uses the new fd to send a transaction to the context manager. Reported-by: syzbot+8b3c354d33c4ac78bfad@syzkaller.appspotmail.com Signed-off-by: Hridya Valsaraju --- drivers/android/binder.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/android/binder.c b/drivers/android/binder.c index e4d25ebec5be..89b9cedae088 100644 --- a/drivers/android/binder.c +++ b/drivers/android/binder.c @@ -3138,7 +3138,7 @@ static void binder_transaction(struct binder_proc *proc, else return_error = BR_DEAD_REPLY; mutex_unlock(&context->context_mgr_node_lock); - if (target_node && target_proc == proc) { + if (target_node && target_proc->pid == proc->pid) { binder_user_error("%d:%d got transaction to context manager from process owning it\n", proc->pid, thread->pid); return_error = BR_FAILED_REPLY; -- 2.22.0.510.g264f2c817a-goog