Return-Path: <linux-kernel-owner@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 3D6E9C433EF
	for <linux-kernel@archiver.kernel.org>; Wed, 24 Nov 2021 20:33:41 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S235050AbhKXUgs (ORCPT <rfc822;linux-kernel@archiver.kernel.org>);
        Wed, 24 Nov 2021 15:36:48 -0500
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:47584 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S233694AbhKXUgp (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 24 Nov 2021 15:36:45 -0500
Received: from mail-lf1-x12e.google.com (mail-lf1-x12e.google.com [IPv6:2a00:1450:4864:20::12e])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 058BBC061574
        for <linux-kernel@vger.kernel.org>; Wed, 24 Nov 2021 12:33:35 -0800 (PST)
Received: by mail-lf1-x12e.google.com with SMTP id l22so10426202lfg.7
        for <linux-kernel@vger.kernel.org>; Wed, 24 Nov 2021 12:33:34 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20210112;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc;
        bh=MhL0kxFEHaqyOrBFQv6DgBdmfil+zC1/DunqGCWJ7dE=;
        b=SY2lZmurMNRui/CzWSIpvpB/CdU7GDeMvTgPGi+6Ke7C2Pe0BbvB0yiPdPmztPGk2r
         pgniHv+F2qw2vyIhbiSlLsazOIZo4vJhhO0fIXoz/fMSwoTMv5duRtcwcMGSleJg17Kj
         vCGObHN6NYXviM1PB7L/31ADMHmVaIH/3hkiTio6fmFW20p929rjmLf2cE9FLSppRVuS
         1nBYTHKuPemtuY4mb8WYV/GHQNcSzv2QY2aMxyOYGtVeNtD+X4aFmJnhUzYaLSzZ8Kom
         RVWHZGEVF58LOWiQACvqsMjQqrqfml7KzgyyB2xRervcod6K/hGRlJ+c8Sq/r0qIAo81
         ozsg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc;
        bh=MhL0kxFEHaqyOrBFQv6DgBdmfil+zC1/DunqGCWJ7dE=;
        b=C4SBk8DhjI/6aMX1t3E57eKznaZZ+J4lMcEJIDH8FKNHwm5P6UifFkD11y31ni79ln
         V0MGsoybnY4zwG7HlPa4ZPy25LtH3P+GkGnEpm7aRm3/hKegSUY/5eWL2e7w6Kx1JtKw
         F08zLrDjzxM5Q7BwB2KkvtkCNRnB1miDwcbr73MaqZ4FLowEEPCybon41J8G8wjBxVwH
         XvLotVogzuWL855LHiUp/FWNBbcbuXLkTgvqKhcRBz4zpiCEUYMJVyka2KMm6UPhmMZW
         D74+SzBqrKPf67zyxG/jTurtQMQ7Qc8rCaEHjPt467H9bIm88cj2wF/N+nLBP2gdeSrf
         n/ng==
X-Gm-Message-State: AOAM533QJIMe52cZvCIvZxGMuz3BM7VcXqHzsCXzeG0ac33Jw4EkbX4s
        GngREGZVMBzUVHz1u7tqOXnXVadTRNXPZrk1mxevRQ==
X-Google-Smtp-Source: ABdhPJxdZ/m0KOr70Ixo3v80AyzJnc5BRnL3sqeuVTWa/4erFFMJvR3o1EjXxENGxfiVgRrJKdlFzWEtLAaEF/rsvsQ=
X-Received: by 2002:a05:6512:22c7:: with SMTP id g7mr18223275lfu.668.1637786013075;
 Wed, 24 Nov 2021 12:33:33 -0800 (PST)
MIME-Version: 1.0
References: <20211123191737.1296541-1-tkjos@google.com> <20211123191737.1296541-3-tkjos@google.com>
 <20211124123719.GG6514@kadam>
In-Reply-To: <20211124123719.GG6514@kadam>
From:   Todd Kjos <tkjos@google.com>
Date:   Wed, 24 Nov 2021 12:33:20 -0800
Message-ID: <CAHRSSEzj10quNV6mK9QQezPRMyO49xNA14O4wCsx+eY_UkjQWQ@mail.gmail.com>
Subject: Re: [PATCH 2/3] binder: read pre-translated fds from sender buffer
To:     Dan Carpenter <dan.carpenter@oracle.com>
Cc:     gregkh@linuxfoundation.org, christian@brauner.io, arve@android.com,
        devel@driverdev.osuosl.org, linux-kernel@vger.kernel.org,
        maco@google.com, joel@joelfernandes.org, kernel-team@android.com
Content-Type: text/plain; charset="UTF-8"
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Wed, Nov 24, 2021 at 4:37 AM Dan Carpenter <dan.carpenter@oracle.com> wrote:
>
> On Tue, Nov 23, 2021 at 11:17:36AM -0800, Todd Kjos wrote:
> > Since we are no longer going to copy the pre-fixup
> > data from the target buffer, we need to read
> > pre-translated FD array information from the source
> > buffer.
> >
>
> The commit message is really misleading.  From the commit message it
> sounds like the commit is changing runtime but it's not.  What I want is
> a commit message like this:
>
>   This patch is to prepare for an up coming patch where we read
>   pre-translated fds from the sender buffer and translate them before
>   copying them to the target.  It does not change run time.
>
>   The patch adds two new parameters to binder_translate_fd_array() to
>   hold the sender buffer and sender buffer parent.  These parameters let
>   us call copy_from_user() directly instead of using
>   binder_alloc_copy_from_buffer() which is a cleanup.  Also the patch
>   adds some new alignment checks.  Previously the alignment checks would
>   have been done in a different place, but this lets us print more
>   useful error messages.

Got it. Will fix in update.

>
>
> > Signed-off-by: Todd Kjos <tkjos@google.com>
> > ---
> >  drivers/android/binder.c | 40 +++++++++++++++++++++++++++++++++-------
> >  1 file changed, 33 insertions(+), 7 deletions(-)
> >
> > diff --git a/drivers/android/binder.c b/drivers/android/binder.c
> > index 571d3c203557..2300fa8e09d5 100644
> > --- a/drivers/android/binder.c
> > +++ b/drivers/android/binder.c
> > @@ -2234,15 +2234,17 @@ static int binder_translate_fd(u32 fd, binder_size_t fd_offset,
> >  }
> >
> >  static int binder_translate_fd_array(struct binder_fd_array_object *fda,
> > +                                  const void __user *u,
>
> I wish we could use sender/target terminology everywhere.  Please change
> every place that has "u" or "user" to either "sender" or "target" as
> appropriate.

Ok (all "u/user" cases are sender).

>
> >                                    struct binder_buffer_object *parent,
> > +                                  struct binder_buffer_object *uparent,
>                                                                   ^
>
> >                                    struct binder_transaction *t,
> >                                    struct binder_thread *thread,
> >                                    struct binder_transaction *in_reply_to)
> >  {
> >       binder_size_t fdi, fd_buf_size;
> >       binder_size_t fda_offset;
> > +     const void __user *ufda_base;
>                            ^
>
> >       struct binder_proc *proc = thread->proc;
> > -     struct binder_proc *target_proc = t->to_proc;
> >
> >       fd_buf_size = sizeof(u32) * fda->num_fds;
> >       if (fda->num_fds >= SIZE_MAX / sizeof(u32)) {
> > @@ -2266,7 +2268,10 @@ static int binder_translate_fd_array(struct binder_fd_array_object *fda,
> >        */>    fda_offset = (parent->buffer - (uintptr_t)t->buffer->user_data) +
> >               fda->parent_offset;
> > -     if (!IS_ALIGNED((unsigned long)fda_offset, sizeof(u32))) {
> > +     ufda_base = (void __user *)uparent->buffer + fda->parent_offset;
> > +
> > +     if (!IS_ALIGNED((unsigned long)fda_offset, sizeof(u32)) ||
> > +         !IS_ALIGNED((unsigned long)ufda_base, sizeof(u32))) {
> >               binder_user_error("%d:%d parent offset not aligned correctly.\n",
> >                                 proc->pid, thread->pid);
> >               return -EINVAL;
> > @@ -2275,10 +2280,9 @@ static int binder_translate_fd_array(struct binder_fd_array_object *fda,
> >               u32 fd;
> >               int ret;
> >               binder_size_t offset = fda_offset + fdi * sizeof(fd);
> > +             binder_size_t uoffset = fdi * sizeof(fd);
> >
> > -             ret = binder_alloc_copy_from_buffer(&target_proc->alloc,
> > -                                                 &fd, t->buffer,
> > -                                                 offset, sizeof(fd));
> > +             ret = copy_from_user(&fd, ufda_base + uoffset, sizeof(fd));
> >               if (!ret)
> >                       ret = binder_translate_fd(fd, offset, t, thread,
> >                                                 in_reply_to);
>
> This is something from the original code but if the copy_from_user()
> fails, then we just skip that "fd" without informing the user.

Here is the whole code fragment(the diff doesn't include the "if
(ret<0) return ret"):

  ret = copy_from_user(&fd, ufda_base + uoffset, sizeof(fd));
  if (!ret)
    ret = binder_translate_fd(fd, offset, t, thread, in_reply_to);
  if (ret < 0)
    return ret;

I agree -- if copy_from_user() for some reason doesn't copy the whole
buffer, it might return a positive integer. Then it would skip
binder_translate_fd(), but not return. That should probably be
something like:

  if (ret)
    return ret > 0 ? -EINVAL : ret;

Will fix in next version.

> It feels wrong.  Does that not lead to a bug in the target app?
>

If copy_from_user() returned a positive integer, we would translate
some random fd. Most likely it would be invalid, but it might not be.
Definitely would be a bug.

>
> > @@ -2951,6 +2955,8 @@ static void binder_transaction(struct binder_proc *proc,
> >               case BINDER_TYPE_FDA: {
> >                       struct binder_object ptr_object;
> >                       binder_size_t parent_offset;
> > +                     struct binder_object user_object;
> > +                     size_t user_parent_size;
> >                       struct binder_fd_array_object *fda =
> >                               to_binder_fd_array_object(hdr);
> >                       size_t num_valid = (buffer_offset - off_start_offset) /
> > @@ -2982,8 +2988,28 @@ static void binder_transaction(struct binder_proc *proc,
> >                               return_error_line = __LINE__;
> >                               goto err_bad_parent;
> >                       }
> > -                     ret = binder_translate_fd_array(fda, parent, t, thread,
> > -                                                     in_reply_to);
> > +
> > +                     /*
> > +                      * We need to read the user version of the parent
> > +                      * object to get the original user offset
> > +                      */
> > +                     user_parent_size =
> > +                             binder_get_object(proc, user_buffer, t->buffer,
> > +                                               parent_offset, &user_object);
> > +                     if (user_parent_size != sizeof(user_object.bbo)) {
> > +                             binder_user_error("%d:%d invalid ptr object size: %lld vs %lld\n",
>
> Apparently %lld breaks the build on my .config.  The correct format for
> size_t is %zd.
>
> > +                                               proc->pid, thread->pid,
> > +                                               user_parent_size,
> > +                                               sizeof(user_object.bbo));
> > +                             return_error = BR_FAILED_REPLY;
> > +                             return_error_param = -EINVAL;
> > +                             return_error_line = __LINE__;
> > +                             goto err_bad_parent;
> > +                     }
> > +                     ret = binder_translate_fd_array(fda, user_buffer,
> > +                                                     parent,
> > +                                                     &user_object.bbo, t,
> > +                                                     thread, in_reply_to);
>
> regards,
> dan carpenter
>
> --
> To unsubscribe from this group and stop receiving emails from it, send an email to kernel-team+unsubscribe@android.com.
>