Received: by 2002:a25:ca44:0:0:0:0:0 with SMTP id a65csp413189ybg; Tue, 28 Jul 2020 09:03:47 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxYiNuIEGq0upLcfByqUntB5mPqPIDZ3NCK+4W5a8tjJRrktkNRJDS27kGYIx2q/xaBZFbx X-Received: by 2002:a17:906:78e:: with SMTP id l14mr1693021ejc.67.1595952227206; Tue, 28 Jul 2020 09:03:47 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1595952227; cv=none; d=google.com; s=arc-20160816; b=fD6iYA45o9joA/vPu1WN/uwMnTcuFjUASOQkFj3lT0uf3gOsrNIGDWLXtfp2Xmn/m2 BkbwObttMts2HIoAWSAClbysbKSGJLTIbSelXOGf/pyGbF5ozaD7zguLRPKjXv45D9t5 OyoeCjvd9fGfrrlekH7NRlkykoQVPjqAWiHZAP5sQklsC4i/9iIi7xfFpD/vdBJvp+10 KvGFZonp6D1n86YAqm3KwzXv/x9PI3hd9qJOjMYW9VBL2FLFktk79ztZvEDHB92yqu9Z O/oXwG0U3GEF9TS9RANuLMSze++2MMLl5e8/RVIkSqQaB92cEkAnKewOXRHeASPoIN+a Z6RA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=4pYEC9dZ+jd5ZdpQ86R7MRp/YpojCjB5i3kRxOXIqZ4=; b=D47XZkKDEVRFBMCgcf6qIYiM0R2w1R5vEt+kNDPWKn7YZUknswIak5h29yzVKBq6jS 2/D5WDukNVu8DbBfF0CH3iiNFxF2EY9HfUdFxwWF5qkbUE507Dr6H+hghmSIOC73rG3U lftuVkTfr2T5UOtJp7Ja4fLYAfHS3dyAI4hOft9Bz06/2BVmCstDh7c3V6/hLxKvwfKU qNDjGC1LkGnNUGe8tBjcmZZJYVCiMgyX5AMYmszdnFIWFj7M57Nyr7TFWC/IYfOnfV+3 l7OLjE7QNPBwGFoC6uYEQKGdgZgbEnBzdtFRopn8BDrsKi8h7ZHIlFty42xNmQHnLAdR 3xng== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@android.com header.s=20161025 header.b=lFPlDrZA; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=android.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id h5si7361743ejj.464.2020.07.28.09.03.24; Tue, 28 Jul 2020 09:03:47 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@android.com header.s=20161025 header.b=lFPlDrZA; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=android.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1731260AbgG1QCI (ORCPT + 99 others); Tue, 28 Jul 2020 12:02:08 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:50004 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1731136AbgG1QCH (ORCPT ); Tue, 28 Jul 2020 12:02:07 -0400 Received: from mail-lj1-x242.google.com (mail-lj1-x242.google.com [IPv6:2a00:1450:4864:20::242]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id B9C0EC061794 for ; Tue, 28 Jul 2020 09:02:06 -0700 (PDT) Received: by mail-lj1-x242.google.com with SMTP id q4so21749684lji.2 for ; Tue, 28 Jul 2020 09:02:06 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=android.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=4pYEC9dZ+jd5ZdpQ86R7MRp/YpojCjB5i3kRxOXIqZ4=; b=lFPlDrZAPUQGkmZpmSCIMJDbvQtxgVtpwEqHn/z1SvDBcvz/7LeDdZGg4TSxdYSyqk 1AL+peXtrZTzNnqgR0xs7Y7977CKVPUok7j3yTy3fQYqP10ZqxqIy+9zptz2JJbZcWaM 1mA94lw8guaLpIHv0MPGhj0YPfLyPVmnef/ODkEwrC00hyOPvUfFWOSFl3+GXoyXNH0M t0Vg8hdOAGTu3wxRXFazn8ao0NP1jTcE4K54hUNsuXJb/t0nZB3hCsK7SHo4Zm2aMn1+ wgBJCGNHD1ozmLFA67jDuE7KQ9jNegJ3U2Z89iqfBH4vcO/T/fCQt9+msff18hc1XoOU +gfg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=4pYEC9dZ+jd5ZdpQ86R7MRp/YpojCjB5i3kRxOXIqZ4=; b=ajqnK72K2hXbq+hfNVnrpUUxAZdlwYfljppNQdKMqiEEPkc9FXoS1lO6/VkZpMkgwH hsEahr0X6bdUgHb59WIOP6cc2V3rxJjdbOc9hAWsz7HphLbpnfag3zFQ3BfJhnUbcle4 6y3ooQyRCkzU1laFenEHqE/Q9AbzDGxRiHHNUZP6PnN7OguU7Z5CvOXumtV1oDDKwGa7 7DucUY2Px63pZXJeGQDjZ8Rjv6s3WSSmgpMW49f0wKtTBhaCsEQQhT3OD4OAVduX0gRO 6D6bZ06iX3yTTRcosSTPZbzQPOqCrTUn4P170w2WwoxZoaZHnVPNvQC955/GsIaLn9r5 VwdQ== X-Gm-Message-State: AOAM532RHoxlrc3XAiRQ91NwTqFPHWJK9yBg9zr36eNgVUeJgErSjHsa M+kNWmanh3RjO4V7FysXTjAWbBCzBNIkhAdyHloGtw== X-Received: by 2002:a2e:6c14:: with SMTP id h20mr11602812ljc.176.1595952125171; Tue, 28 Jul 2020 09:02:05 -0700 (PDT) MIME-Version: 1.0 References: <20200727120424.1627555-1-jannh@google.com> In-Reply-To: From: Martijn Coenen Date: Tue, 28 Jul 2020 18:01:54 +0200 Message-ID: Subject: Re: [PATCH v2] binder: Prevent context manager from incrementing ref 0 To: Jann Horn Cc: Greg Kroah-Hartman , =?UTF-8?B?QXJ2ZSBIasO4bm5ldsOlZw==?= , Todd Kjos , Joel Fernandes , Christian Brauner , "open list:ANDROID DRIVERS" , Mattias Nissler , LKML Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Thanks a lot for the detailed explanation, I understood now. Martijn On Tue, Jul 28, 2020 at 4:50 PM Jann Horn wrote: > > On Tue, Jul 28, 2020 at 3:50 PM Martijn Coenen wrote: > > On Mon, Jul 27, 2020 at 2:04 PM Jann Horn wrote: > > > - task B opens /dev/binder once, creating binder_proc instance P3 > > > - P3 calls P2 (via magic handle 0) with (void*)1 as argument (two-way > > > transaction) > > > - P2 receives the handle and uses it to call P3 (two-way transaction) > > > - P3 calls P2 (via magic handle 0) (two-way transaction) > > > - P2 calls P2 (via handle 1) (two-way transaction) > > > > Why do you need P3 involved at all? Could P2 just straight away make a > > call on handle 1? > > Yes, it could, I think. IIRC these steps are necessary if you want to > actually get a KASAN splat, instead of just a transaction-to-self with > no further consequences. It has been a while since I looked at this, > but I'll try to figure out again what was going on... > > > A UAF occurs in the following code due to the transaction-to-self, > because the "if (t->to_thread == thread)" is tricked into believing > that the transaction has already been accepted. > > static int binder_thread_release(struct binder_proc *proc, > struct binder_thread *thread) > { > struct binder_transaction *t; > struct binder_transaction *send_reply = NULL; > [...] > t = thread->transaction_stack; > if (t) { > [...] > if (t->to_thread == thread) > send_reply = t; > } else { > [...] > } > [...] > //NOTE: transaction is freed here because top-of-stack is > // wrongly treated as already-accepted incoming transaction) > if (send_reply) > binder_send_failed_reply(send_reply, BR_DEAD_REPLY); > //NOTE pending transaction work is processed here (transaction has not > // yet been accepted) > binder_release_work(proc, &thread->todo); > [...] > } > > An unaccepted transaction will only have a non-NULL ->to_thread if the > transaction has a specific target thread; for a non-reply transaction, > that is only the case if it is a two-way transaction that was sent > while the binder call stack already contained the target task (iow, > the transaction looks like a synchronous callback invocation). > > With the steps: > > - P3 calls P2 (via magic handle 0) with (void*)1 as argument (two-way > transaction) > - P2 receives the handle and uses it to call P3 (two-way transaction) > - P3 calls P2 (via magic handle 0) (two-way transaction) > - P2 calls P2 (via handle 1) (two-way transaction) > > the call stack will look like this: > > P3 -> P2 -> P3 -> P2 -> P2 > > The initial call from P3 to P2 was IIRC just to give P2 a handle to > P3; IIRC the relevant part of the call stack was: > > P2 -> P3 -> P2 -> P2 > > Because P2 already occurs down in the call stack, the final > transaction "P2 -> P2" is considered to be a callback and is > thread-directed. > > > The reason why P3 has to be created from task B is the "if > (target_node && target_proc->pid == proc->pid)" check for transactions > to reference 0.