Received: by 2002:a25:ad19:0:0:0:0:0 with SMTP id y25csp4341345ybi; Tue, 30 Jul 2019 00:15:45 -0700 (PDT) X-Google-Smtp-Source: APXvYqy37p20BTDpUUXt0J0nxTBb2JIKN3CvQ73+eAxvlZWAMWuDi8Zw7KmajGncP2q+0oDRay9P X-Received: by 2002:a17:902:9041:: with SMTP id w1mr127421plz.132.1564470945348; Tue, 30 Jul 2019 00:15:45 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1564470945; cv=none; d=google.com; s=arc-20160816; b=EmFiAQsyAUaY9ibBWBsKLlsdeDrFlsLYO1fcbOhsiZeilp7icS8k1dqLsC3t2kqMQD kHIa3+SR1dknlzF4RFJE28SpsmjsTHGNPLbtv6fQme9hqkh7sVvY7zr5jUL40OJDt5eF L7j9tQAKCMjZV0nBq+9wvEj9Op7W+PgKKi2AwxRPYk2b3/TJC3AXo24X0DqgFTA8JWYT Bo+/dvcJhFelI+M+SlKzugOu3NCPBUGQV5pqV86qm5swHP7r31SyVFg7ywLQT2SVmPYt HlPYLbPopNoNwp3ZQbHEuc+WBdDl/RNOJef4882D7ptAEhPElyFmgK1A37GnEpI6OfdB vsOQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=kPVKP9SC7zUBXEfspSws2V27PYK4tburNXIIo+W4igk=; b=ZWbcV4HiSnrAie8bSuHNxSviXdbjU+qfQPbR7r3h27aOL0b3V08fVXLcswxHmmSLWu gb/ISRLrPc1p3T73nsCBIT1kNv3nIWyJGF4H83WtX5yvTxVQGiwM928i+IIfqFPHUzra NxC6uVQ1A/VimrB9dT9ehCc31vQq0TyScvn8lGOSzHidH4lInSqNIseTDVa8m4LOFpQr Gy7GBLikQUQvrvb06P4D/0z205TAYMQdjp2kWUJv+aWFgHJ/km/59MYVP4uI4o+uVbc9 wbxOi6EIhchv6PGhuwh2Mdo6ttovYU6wUSuxW7Vq+OKuDL6eRcAWVFHR8uqc3NjR3zNI AWeQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=HmAsbEE1; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id b6si10783031pfd.29.2019.07.30.00.15.31; Tue, 30 Jul 2019 00:15:45 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=HmAsbEE1; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2389959AbfG2UFC (ORCPT + 99 others); Mon, 29 Jul 2019 16:05:02 -0400 Received: from mail.kernel.org ([198.145.29.99]:32868 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2389766AbfG2ToS (ORCPT ); Mon, 29 Jul 2019 15:44:18 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id C6A4E205F4; Mon, 29 Jul 2019 19:44:16 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1564429457; bh=ZPmfZoJlLwTcRkZU0BsWm4+fuP0Yq8LQoHWCzuFYCAc=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=HmAsbEE1NfwvcBSn2zR5owKMgkf/FIbZsGl1LpKIQfqMDSfL/4qxk7YjVj9+NW871 5MDywK8Tozj2XgJokzyYsfufyrmTtMFQ+/OKOhgbt6xEQSkL/J5Fs73/EnXsvzTFD9 glE7PgwdUfwj5veBnQdX0d0xyJIg15CHv2FXHS7Y= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, syzbot+8b3c354d33c4ac78bfad@syzkaller.appspotmail.com, Hridya Valsaraju , Todd Kjos Subject: [PATCH 4.19 103/113] binder: prevent transactions to context manager from its own process. Date: Mon, 29 Jul 2019 21:23:10 +0200 Message-Id: <20190729190720.129090388@linuxfoundation.org> X-Mailer: git-send-email 2.22.0 In-Reply-To: <20190729190655.455345569@linuxfoundation.org> References: <20190729190655.455345569@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Hridya Valsaraju commit 49ed96943a8e0c62cc5a9b0a6cfc88be87d1fcec upstream. Currently, a transaction to context manager from its own process is prevented by checking if its binder_proc struct is the same as that of the sender. However, this would not catch cases where the process opens the binder device again and uses the new fd to send a transaction to the context manager. Reported-by: syzbot+8b3c354d33c4ac78bfad@syzkaller.appspotmail.com Signed-off-by: Hridya Valsaraju Acked-by: Todd Kjos Cc: stable Link: https://lore.kernel.org/r/20190715191804.112933-1-hridya@google.com Signed-off-by: Greg Kroah-Hartman --- drivers/android/binder.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/drivers/android/binder.c +++ b/drivers/android/binder.c @@ -2838,7 +2838,7 @@ static void binder_transaction(struct bi else return_error = BR_DEAD_REPLY; mutex_unlock(&context->context_mgr_node_lock); - if (target_node && target_proc == proc) { + if (target_node && target_proc->pid == proc->pid) { binder_user_error("%d:%d got transaction to context manager from process owning it\n", proc->pid, thread->pid); return_error = BR_FAILED_REPLY;