Received: by 2002:a5b:505:0:0:0:0:0 with SMTP id o5csp1002914ybp; Wed, 9 Oct 2019 07:30:52 -0700 (PDT) X-Google-Smtp-Source: APXvYqyAWGpeABb3Ca/6iPCKpf/dXFt+XPc8Fz4QyfD0CbdePP4Ja6vRPeFUp7l318nqzIGbPUa4 X-Received: by 2002:a05:6402:60e:: with SMTP id n14mr3346021edv.147.1570631452656; Wed, 09 Oct 2019 07:30:52 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1570631452; cv=none; d=google.com; s=arc-20160816; b=VekJvDkDdHvLeuDmJcG4muf9oIfzIlVlLsqPLXgX2tBlH6p0tss3LdAKGnDtszTDJ1 qdRcQUkYgw9YJhBEmvEcYaD7T5Da83ylW6J7uMtDKwg0a+3Gjr9snve+Q74GEQb1HBKR XLSnpYh33HW4yvqjJKDVBwP1x/33MHd8lNvf/BFCcI2LL54G1XdR1JvN5vEEl2yP4GR2 FnpABU/U0aL5ivWY1vdqu43djr4eo2VyDtCQ7e8OrbZxYBTP7/8nnZOj3iEpqx2+7jkR IwVBHK9MOZcsrjC2jMYORNoKCsZ6tIHqsH9kbNV4sDae9M5aPMub6e1oeZFPHXoVisXc L/QA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date; bh=xmirHmvV9dj/Aij6TH46CXTF9dYfbOq1nVCKiLlfidE=; b=a860DW2V4jlUWC+p9HBA179pTyqZUynMMo+BaW7BomxphEtL/lJNdVU82V6p1DUjVm TUjacFjQ+CPwIsGZEn3LTQ8zJ/iCORnAgurPm1GqE4PEGrfSDDs4nIrpIC5nc9pl2pOH 9UQO/U5kTUkDg31gUB9KxrPG25zYX+5SZuFnCIL8mDVsN/2ycGI8KoK/rmHdGWErm4jL 3T8iQIJ1AuV0wxqu5VFKkBhY19pEM94rDmDWRsehZisLo4/uCsUE/FjQmakzWDJuT09E QhdCJZREcu/zsHBk1nhTRXCvU4SZE4ZlcD5RhYunWOCF9mEAu9psGUQKxUV/oEmG2Yj0 th8w== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id e18si1298503eds.68.2019.10.09.07.30.28; Wed, 09 Oct 2019 07:30:52 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1731544AbfJIO3T (ORCPT + 99 others); Wed, 9 Oct 2019 10:29:19 -0400 Received: from youngberry.canonical.com ([91.189.89.112]:34818 "EHLO youngberry.canonical.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1731145AbfJIO3T (ORCPT ); Wed, 9 Oct 2019 10:29:19 -0400 Received: from [213.220.153.21] (helo=wittgenstein) by youngberry.canonical.com with esmtpsa (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1iICxk-0003zb-4Q; Wed, 09 Oct 2019 14:29:12 +0000 Date: Wed, 9 Oct 2019 16:29:11 +0200 From: Christian Brauner To: Joel Fernandes Cc: Todd Kjos , jannh@google.com, arve@android.com, christian@brauner.io, devel@driverdev.osuosl.org, gregkh@linuxfoundation.org, linux-kernel@vger.kernel.org, maco@android.com, tkjos@google.com, Hridya Valsaraju Subject: Re: [PATCH] binder: prevent UAF read in print_binder_transaction_log_entry() Message-ID: <20191009142910.ggerxqxkft2ifhdn@wittgenstein> References: <20191008130159.10161-1-christian.brauner@ubuntu.com> <20191008180516.GB143258@google.com> <20191009104011.rzfdvq7otkkj533m@wittgenstein> <20191009142129.GD143258@google.com> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: <20191009142129.GD143258@google.com> User-Agent: NeoMutt/20180716 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Oct 09, 2019 at 10:21:29AM -0400, Joel Fernandes wrote: > On Wed, Oct 09, 2019 at 12:40:12PM +0200, Christian Brauner wrote: > > On Tue, Oct 08, 2019 at 02:05:16PM -0400, Joel Fernandes wrote: > > > On Tue, Oct 08, 2019 at 03:01:59PM +0200, Christian Brauner wrote: > > > > When a binder transaction is initiated on a binder device coming from a > > > > binderfs instance, a pointer to the name of the binder device is stashed > > > > in the binder_transaction_log_entry's context_name member. Later on it > > > > is used to print the name in print_binder_transaction_log_entry(). By > > > > the time print_binder_transaction_log_entry() accesses context_name > > > > binderfs_evict_inode() might have already freed the associated memory > > > > thereby causing a UAF. Do the simple thing and prevent this by copying > > > > the name of the binder device instead of stashing a pointer to it. > > > > > > > > Reported-by: Jann Horn > > > > Fixes: 03e2e07e3814 ("binder: Make transaction_log available in binderfs") > > > > Link: https://lore.kernel.org/r/CAG48ez14Q0-F8LqsvcNbyR2o6gPW8SHXsm4u5jmD9MpsteM2Tw@mail.gmail.com > > > > Cc: Joel Fernandes > > > > Cc: Todd Kjos > > > > Cc: Hridya Valsaraju > > > > Signed-off-by: Christian Brauner > > > > --- > > > > drivers/android/binder.c | 4 +++- > > > > drivers/android/binder_internal.h | 2 +- > > > > 2 files changed, 4 insertions(+), 2 deletions(-) > > > > > > > > diff --git a/drivers/android/binder.c b/drivers/android/binder.c > > > > index c0a491277aca..5b9ac2122e89 100644 > > > > --- a/drivers/android/binder.c > > > > +++ b/drivers/android/binder.c > > > > @@ -57,6 +57,7 @@ > > > > #include > > > > #include > > > > #include > > > > +#include > > > > #include > > > > #include > > > > #include > > > > @@ -66,6 +67,7 @@ > > > > #include > > > > > > > > #include > > > > +#include > > > > > > > > #include > > > > > > > > @@ -2876,7 +2878,7 @@ static void binder_transaction(struct binder_proc *proc, > > > > e->target_handle = tr->target.handle; > > > > e->data_size = tr->data_size; > > > > e->offsets_size = tr->offsets_size; > > > > - e->context_name = proc->context->name; > > > > + strscpy(e->context_name, proc->context->name, BINDERFS_MAX_NAME); > > > > > > Strictly speaking, proc-context->name can also be initialized for !BINDERFS > > > so the BINDERFS in the MAX_NAME macro is misleading. So probably there should > > > be a BINDER_MAX_NAME (and associated checks for whether non BINDERFS names > > > fit within the MAX. > > > > I know but I don't think it's worth special-casing non-binderfs devices. > > First, non-binderfs devices can only be created through a KCONFIG option > > determined at compile time. For stock Android the names are the same for > > all vendors afaik. > > I am just talking about the name of weirdly named macro here. You might miss context here: It's named that way because currently only binderfs binder devices are bound to that limit. That's a point I made further below in my previous mail. Non-binderfs devices are not subject to that restriction and when we tried to make them subject to the same it as rejected. > > > Fifth, I already tried to push for validation of non-binderfs binder > > devices a while back when I wrote binderfs and was told that it's not > > needed. Hrydia tried the same and we decided the same thing. So you get > > to be the next person to send a patch. :) > > I don't follow why we are talking about non-binderfs validation. I am just Because above you said > > > so the BINDERFS in the MAX_NAME macro is misleading. So probably there should > > > be a BINDER_MAX_NAME (and associated checks for whether non BINDERFS names > > > fit within the MAX. which to me reads like you want generic checks for _all_ binder devices not just for the ones from binderfs. (Btw, I didn't read your comments as pointing it out the patch is buggy. I mostly wanted to provide context why we ended up with the binderfs-specific restriction. Maybe the list sounded like a complaint but it wasn't meant to. :)) Thanks! Christian