Received: by 2002:a5b:505:0:0:0:0:0 with SMTP id o5csp5934148ybp; Tue, 8 Oct 2019 10:22:36 -0700 (PDT) X-Google-Smtp-Source: APXvYqzctTsb30rg3Vk5LMJI6D4fnQ8skrpeaCOhcCi6weZMpOs8OqSAC755uA7c+0xXNWSIcXvu X-Received: by 2002:a17:906:4b07:: with SMTP id y7mr29287757eju.126.1570555356813; Tue, 08 Oct 2019 10:22:36 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1570555356; cv=none; d=google.com; s=arc-20160816; b=eQ6looBHkSOCEx6YV0zXBJG+/BMnmOjetpaP+SuLw/mcL5C6rl8SFh0y+Jy+9dPgAJ okQUxiYxG43ASV0GjPmMhqeb3u4Sw6KyijOHv4UizMRPAT4gnQxTt4Gq1uUf71qJ7lLd YwjzSCHZr7VpWT0n3NL6+sSU+KrR662DM0a13W3CrJAPHRJGVje0JefFIIFkToeq2Itt I9cqmFjz/bfOgDT6e/rbbJ8oOzS5a0ji0H0nOl6FNHQS6hOgOM3Kx6QdsNkDPePuQy1M FKa94p3tYuqAaPu7vILob0EDpj+p8jL3gXTKAq9Qf0Fx+8a5eFwYOB+WzPe30FpgaeRE PN7w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=h7/gbm3RJTL0TVH1ZLjPUoytHiFwN21WJCo8ibqoeDQ=; b=U/i0uVJ4KB8SgPkfiAezlN7TEB18wZWFum9gbdZ781kspPKSL4oyqWp4s/CmcOJzVE ZE9quVAjDL2bWNBb4NH/tOpnuxhVt0LRKGwgpBfg9WFbUtLJ3OtmbG8PCdWwRHZDTL9f WwmQFugh0MwYnEdz+B6g8vF3UfmHQMF9r1Ntf7XhqCIrAJIiEzif85evQQeZCBQEgbmx IiPKpJtFLt12oJtAInTD6zYKQhEdOW4BqLff5rlbYdhpa+bUVEKJnyW8qESZLJe7Su16 z5VUVaRdwF+SDeyzVbTAS91IXj2VFj5DJCEGGTZJbr3D7TW4LO25BbRF3R/KEx++2yJl PetQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=ZUpXWG1b; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id p36si11057602edc.373.2019.10.08.10.22.12; Tue, 08 Oct 2019 10:22:36 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=ZUpXWG1b; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1725917AbfJHRT0 (ORCPT + 99 others); Tue, 8 Oct 2019 13:19:26 -0400 Received: from mail-ot1-f68.google.com ([209.85.210.68]:42547 "EHLO mail-ot1-f68.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726138AbfJHRT0 (ORCPT ); Tue, 8 Oct 2019 13:19:26 -0400 Received: by mail-ot1-f68.google.com with SMTP id c10so14693147otd.9 for ; Tue, 08 Oct 2019 10:19:25 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=h7/gbm3RJTL0TVH1ZLjPUoytHiFwN21WJCo8ibqoeDQ=; b=ZUpXWG1bWoh4zFr+gjgNoVrWYx1WUaE/YcfQNPiJQXTXeEMYcYozKGDNdGtnoNDCRo UPuMBFlTM2u/2MWw3CoKyVSVb+y3VYSAu7m9Lv0hezzg8AqskYxrGn/BF0xCgRWRncW1 TGwlt5psiYglK0e8ufKJ0wVFw8sUZFLFZiwkzMT7oUF1V/+qJqyXQAIdnQTobgXyWhZw YMiUpelGHmO0booe90K3vqqlymTrC6anV56DgKGR+rBDxxvpMPxyxmFA90yoWIrpO/cZ 0vd0FBWozqrAcd/NrbhwwEi5zb/sv5OqByzBgDRvq4QA1OYZW4aiuR0kjet7rDMmTD0S aOXw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=h7/gbm3RJTL0TVH1ZLjPUoytHiFwN21WJCo8ibqoeDQ=; b=UADHq1XInk14O4m4qkhTGzkePrCgqDwFpmeDUMXnrs5XhJgSnBsYsHKqikai6f54uJ TL4mVxPQb+AyglGcvpzglVcyK4pQw17YkTAiq5ZxmyFwb5X2gg+CuJez+32EJOiV+XY4 ND82qT+aERFoZ9A+lRWsYXAn7UtTsqOiNLVwWOdzOJSqYwxbd1sBpY657j+bnRoJDm21 08DVpr+BpHNkZJtA6fLs1kXj937Ei82M1eAt6wkghAb3oN4ZWLbAxsIPQ6Bd69aMfzgX Oi12220YIHshrVLC3ugvVZNhAtEDo52YQwtTYJqzhGRiNOOiXP29h23wjyzr2Wr2Jq5X 21hA== X-Gm-Message-State: APjAAAWvACD5WzPEZrPVrIrcRaA6IKeM54BgR/gdWGJc6HfxaGTRmxxf OMvZNTj6LjqDMIs32nRo/su4AEERGe1NSnwBCuLVKA== X-Received: by 2002:a9d:bcd:: with SMTP id 71mr27264570oth.35.1570555165072; Tue, 08 Oct 2019 10:19:25 -0700 (PDT) MIME-Version: 1.0 References: <20191008130159.10161-1-christian.brauner@ubuntu.com> In-Reply-To: <20191008130159.10161-1-christian.brauner@ubuntu.com> From: Hridya Valsaraju Date: Tue, 8 Oct 2019 10:18:48 -0700 Message-ID: Subject: Re: [PATCH] binder: prevent UAF read in print_binder_transaction_log_entry() To: Christian Brauner Cc: jannh@google.com, =?UTF-8?B?QXJ2ZSBIasO4bm5ldsOlZw==?= , Christian Brauner , "open list:ANDROID DRIVERS" , Greg Kroah-Hartman , Joel Fernandes , LKML , Martijn Coenen , Todd Kjos , Todd Kjos Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Oct 8, 2019 at 6:02 AM Christian Brauner wrote: > > When a binder transaction is initiated on a binder device coming from a > binderfs instance, a pointer to the name of the binder device is stashed > in the binder_transaction_log_entry's context_name member. Later on it > is used to print the name in print_binder_transaction_log_entry(). By > the time print_binder_transaction_log_entry() accesses context_name > binderfs_evict_inode() might have already freed the associated memory > thereby causing a UAF. Do the simple thing and prevent this by copying > the name of the binder device instead of stashing a pointer to it. > > Reported-by: Jann Horn > Fixes: 03e2e07e3814 ("binder: Make transaction_log available in binderfs") > Link: https://lore.kernel.org/r/CAG48ez14Q0-F8LqsvcNbyR2o6gPW8SHXsm4u5jmD9MpsteM2Tw@mail.gmail.com > Cc: Joel Fernandes > Cc: Todd Kjos > Cc: Hridya Valsaraju > Signed-off-by: Christian Brauner Reviewed-by: Hridya Valsaraju Thank you for sending out this fix Christian! Regards, Hridya > --- > drivers/android/binder.c | 4 +++- > drivers/android/binder_internal.h | 2 +- > 2 files changed, 4 insertions(+), 2 deletions(-) > > diff --git a/drivers/android/binder.c b/drivers/android/binder.c > index c0a491277aca..5b9ac2122e89 100644 > --- a/drivers/android/binder.c > +++ b/drivers/android/binder.c > @@ -57,6 +57,7 @@ > #include > #include > #include > +#include > #include > #include > #include > @@ -66,6 +67,7 @@ > #include > > #include > +#include > > #include > > @@ -2876,7 +2878,7 @@ static void binder_transaction(struct binder_proc *proc, > e->target_handle = tr->target.handle; > e->data_size = tr->data_size; > e->offsets_size = tr->offsets_size; > - e->context_name = proc->context->name; > + strscpy(e->context_name, proc->context->name, BINDERFS_MAX_NAME); > > if (reply) { > binder_inner_proc_lock(proc); > diff --git a/drivers/android/binder_internal.h b/drivers/android/binder_internal.h > index bd47f7f72075..ae991097d14d 100644 > --- a/drivers/android/binder_internal.h > +++ b/drivers/android/binder_internal.h > @@ -130,7 +130,7 @@ struct binder_transaction_log_entry { > int return_error_line; > uint32_t return_error; > uint32_t return_error_param; > - const char *context_name; > + char context_name[BINDERFS_MAX_NAME + 1]; > }; > > struct binder_transaction_log { > -- > 2.23.0 >