Received: by 2002:a25:ad19:0:0:0:0:0 with SMTP id y25csp3805434ybi; Mon, 29 Jul 2019 13:00:04 -0700 (PDT) X-Google-Smtp-Source: APXvYqyHtX4FxnOV/9eWubUtgawjTE1RaD/uRVuwJuHapmNj6u4Ld2nJwF1+RoX7y83EYugz2cic X-Received: by 2002:a17:902:8203:: with SMTP id x3mr112617225pln.304.1564430404346; Mon, 29 Jul 2019 13:00:04 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1564430404; cv=none; d=google.com; s=arc-20160816; b=hDmD68VukirCST/c37hMcNk/OMjJkeVzzhIvcGNmssKIB/suJBYqId8b9CViZexy0L RUc/vFZw7f7q4rwu5Cdpy2t0i03dhH0rgmTSLUbQUrTNMzR1r2Z1G+RQuPXiCt2JN4Jc CAXBYqnBQhhQ4I5PBwMYqz+/07mk8jr+1ibUqC+WKWLYsIHidFjgStfo+Mr886ujJZbX T3yDNrzI0WGZH9CGexag8jeBtg9xiV8wtq+F5UkqLOsuxbUlHRy44pG2JsfBdfoEvjBu 5DaO8EC8bl8B15LIxddrVQdGIwDERn5Ic0up2HLh6az98ZZcBPKfbDvGD4k4QjswoQ5w zXtA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=VRYprkq4+zXIOI563fPltW3r0TMLyqxAFCv525ga8OQ=; b=Gv4tyl79idi3uz6nEQMKr6U/HOv+sxWWm5jpjnCmFDjaSR6WUxHVvzPoOBit4xaoBt vdGauKhGtuHMEqsXTi9IFnA3y5d+gJOxDijjULGULVWd2wexntWoi19s+KtQlkfU17p0 iGSGxbqtxYrpZlO2w32p7cAAgzIcZeI81tbGcgXme3IvOZgNowBSm0BzIbs1glRNN4+2 h6t1jWb7QATP2zuKGR96YURePm+wLbezQVokgjiTGKvnCJO/uQGIFf0W+Bhk5j0QjpZq krjecnSfiiP2Uvv8tYvHG6yAFVDiRT4k3VDLTQfDuAr+IorI89QNZLy/kvIDvnscJHq5 ZOJQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=SZ7XvDzT; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id ay21si51445026pjb.34.2019.07.29.12.59.49; Mon, 29 Jul 2019 13:00:04 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=SZ7XvDzT; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2403915AbfG2T50 (ORCPT + 99 others); Mon, 29 Jul 2019 15:57:26 -0400 Received: from mail.kernel.org ([198.145.29.99]:47132 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2404043AbfG2Ty2 (ORCPT ); Mon, 29 Jul 2019 15:54:28 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id AD85521773; Mon, 29 Jul 2019 19:54:27 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1564430068; bh=4sXdNXPScPUynDeTvlfOIZNtQFPHYIYr4JtrETjXkEk=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=SZ7XvDzTyJ4D2ksXp7pjDBTVQnn2xPT4ApLirjqL/yKCatO185BmPrIt7xr1CObs6 7Z+W7PWt+11MVC9FydiqWSFgpC3gkygFbBLEi2kfqo+g/q6qRGZcQf/Mr7zmk0fJUE 62ijR+jEZcjRCWzaA+sYVa3xcD35c06KNRG2LHi8= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, syzbot+8b3c354d33c4ac78bfad@syzkaller.appspotmail.com, Hridya Valsaraju , Todd Kjos Subject: [PATCH 5.2 185/215] binder: prevent transactions to context manager from its own process. Date: Mon, 29 Jul 2019 21:23:01 +0200 Message-Id: <20190729190812.268949872@linuxfoundation.org> X-Mailer: git-send-email 2.22.0 In-Reply-To: <20190729190739.971253303@linuxfoundation.org> References: <20190729190739.971253303@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Hridya Valsaraju commit 49ed96943a8e0c62cc5a9b0a6cfc88be87d1fcec upstream. Currently, a transaction to context manager from its own process is prevented by checking if its binder_proc struct is the same as that of the sender. However, this would not catch cases where the process opens the binder device again and uses the new fd to send a transaction to the context manager. Reported-by: syzbot+8b3c354d33c4ac78bfad@syzkaller.appspotmail.com Signed-off-by: Hridya Valsaraju Acked-by: Todd Kjos Cc: stable Link: https://lore.kernel.org/r/20190715191804.112933-1-hridya@google.com Signed-off-by: Greg Kroah-Hartman --- drivers/android/binder.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/drivers/android/binder.c +++ b/drivers/android/binder.c @@ -2988,7 +2988,7 @@ static void binder_transaction(struct bi else return_error = BR_DEAD_REPLY; mutex_unlock(&context->context_mgr_node_lock); - if (target_node && target_proc == proc) { + if (target_node && target_proc->pid == proc->pid) { binder_user_error("%d:%d got transaction to context manager from process owning it\n", proc->pid, thread->pid); return_error = BR_FAILED_REPLY;