Received: by 2002:a5b:505:0:0:0:0:0 with SMTP id o5csp4790992ybp; Mon, 7 Oct 2019 14:06:20 -0700 (PDT) X-Google-Smtp-Source: APXvYqxkAiAUlbeG4TJBS4mdaUOproRUnEiVFmt1zZaY1ZNKN1DxyQJij1cnfpOMOMX/wuINMNrX X-Received: by 2002:a17:906:19d3:: with SMTP id h19mr26123441ejd.121.1570482380561; Mon, 07 Oct 2019 14:06:20 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1570482380; cv=none; d=google.com; s=arc-20160816; b=Z0IhPRYXmqltAxlNVi1PipV+7ByiI49L6GiEnWzvSRj4YW3gE0x6K613/2h97PsOuz /hlciDb0PWQGOm1ljjcOJRhzzFEngGyg5SZmaA6L25ljVwIM+zw8LoT+gGxaSZvvQ/Kg KlaambkRfLsoP47G1+VrFAXisrR4Y11X2kWb7YtK8Eh6Zv7oJ2ijbWmI7Zo1NZpQRLzM YUNVnM5rcMgwweFcb1jLekCvNNmjJAjfSrlQas+zn9LAbyPuhllgMYWJeCC9xKKdRZL7 75U7BAjW46SiUVaGSfQIsxoikFb9Po1cN6v0urEKmkjDBWssWvQhdhHkDDE3UPGxP4mG pH2w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date; bh=nX4dit1R51BRJb9O3B6rK8OfqGHdeW2el+JSorgiNCY=; b=DgE+TjdLbVS8p+fpkE8Mnhe1gTjqvU7L5pgkURZDoTakz4XS71b6827dBx1ABcf3zF InewzAGP0zjJW+ALbwi+Wm0B1ttv0Gc2I45eRYguJZEctOjKuKqpJQ+NcHGyAef4qRHN ZYZsKLzN6flPudT+wHG4c7K2HSzn7JYse8r8mDfbVqLSxdb78FRa918xXuYginFxlU99 e6mq4VWjVomng3/t0qa1ce2HS1pGb7lvqheAPw8iBldu59Nsm26/z/euFYU2HUH+m3zS vmScgCT5rfoGKLShSn+6xoJaxCD7iEIZfS7vtPpVrfGJhOMXWmCL9w2JdKxA637Do6nP k41A== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id z33si10313938edz.314.2019.10.07.14.05.57; Mon, 07 Oct 2019 14:06:20 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729174AbfJGVFn (ORCPT + 99 others); Mon, 7 Oct 2019 17:05:43 -0400 Received: from youngberry.canonical.com ([91.189.89.112]:35383 "EHLO youngberry.canonical.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728330AbfJGVFn (ORCPT ); Mon, 7 Oct 2019 17:05:43 -0400 Received: from [213.220.153.21] (helo=wittgenstein) by youngberry.canonical.com with esmtpsa (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1iHaCG-0005vQ-E7; Mon, 07 Oct 2019 21:05:36 +0000 Date: Mon, 7 Oct 2019 23:05:35 +0200 From: Christian Brauner To: Jann Horn Cc: Todd Kjos , Martijn Coenen , Arve =?utf-8?B?SGrDuG5uZXbDpWc=?= , Joel Fernandes , "open list:ANDROID DRIVERS" , kernel list , Greg Kroah-Hartman Subject: Re: UAF read in print_binder_transaction_log_entry() on ANDROID_BINDERFS kernels Message-ID: <20191007210534.wqnizdp6pl7gn5qe@wittgenstein> References: MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: User-Agent: NeoMutt/20180716 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Oct 07, 2019 at 10:49:57PM +0200, Jann Horn wrote: > Hi! > > There is a use-after-free read in print_binder_transaction_log_entry() > on ANDROID_BINDERFS kernels because > print_binder_transaction_log_entry() prints the char* e->context_name > as string, and if the transaction occurred on a binder device from > binderfs, e->context_name belongs to the binder device and is freed > when the inode disappears. > > Luckily this shouldn't have security implications, since: > > a) reading the binder transaction log is already a pretty privileged operation > b) I can't find any actual users of ANDROID_BINDERFS > > I guess there are three ways to fix it: > 1) Create a new shared global spinlock for binderfs_evict_inode() and > binder_transaction_log_show(), and let binderfs_evict_inode() scan the > transaction log for pointers to its name and replace them with > pointers to a statically-allocated string "{DELETED}" or something > like that. > 2) Let the transaction log contain non-reusable device identifiers > instead of name pointers, and let print_binder_transaction_log_entry() > look them up in something like a hashtable. > 3) Just copy the name into the transaction log every time. > > I'm not sure which one is better, or whether there's a nicer fourth > option, so I'm leaving writing a patch for this to y'all. Moin, Thanks for the report. Android binderfs is enabled by default on Ubuntu and - iirc - Debian kernels. It is actively used by Anbox to run Android in containers. The codepath you're referring to is specific to the stats=global mount option. This was contributed by the Android team for the 5.4 cycle (cf. [1]). That means there is no released kernel that supports the stats=global mount option. So all current users cannot be affected by this bug. I'll take a look at this tomorrow and see what makes the most sense. I agree that this is not a security issue. Thanks for catching this early. If you already have a script that trivially reproduces the bug it'd be nice if you could paste it. Otherwise we can just add a reproducer based on your snippet from below. I want to add a regression test for this. [1]: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=f00834518ed3194b866f5f3d63b71e0ed7f6bc00 https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=0e13e452dafc009049a9a5a4153e2f9e51b23915 https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=03e2e07e38147917482d595ad3cf193212ded8ac https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=4feb80faf428a02d407a9ea1952004af01308765 Thanks! Christian