Received: by 2002:a6b:500f:0:0:0:0:0 with SMTP id e15csp4098174iob; Tue, 17 May 2022 14:01:34 -0700 (PDT) X-Google-Smtp-Source: ABdhPJywlxSL/559fhM+pOeAlRugzpN+/YlEEm+0aTnM3OG6Cd6njN4jjBgJHxg5Pkva4lWMcWz/ X-Received: by 2002:a17:906:e9b:b0:6f3:cfcc:922e with SMTP id p27-20020a1709060e9b00b006f3cfcc922emr21057436ejf.346.1652821294225; Tue, 17 May 2022 14:01:34 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1652821294; cv=none; d=google.com; s=arc-20160816; b=BZMMpIr8b9hJQBcXdlbUdy2eda8KU8ehQSmG14GBLMABl3XzAxyC0tjhP2fOh8JSjA bUZpHRxV5TFBjYxPz+dINLexEw0W03MhKOijXEPuKz+byu2/g3ppZ1RzMyMqq6O2qkm8 T6SB1Tf/WjsRhg6j/1uf8Tr/raFsDvR6M8ufu5lSAA199hIcZC/V2MDGeZ5NtYW9ZhTa EBO+1ajT6NBr+TSms6lflVOqbehck1vDnS8E47KbQqrgbP8vsX5MhL0hIzD3IWMpBac/ t1+B+OLJCO07uk+qOJrJq0YyRJ5FRAKQXs4yEwo2i2/vvSPjGOjFZ2CUtTb/u6oVATOh 0Vmg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=D5jj0hfLXwv5NKyNSQq0cQn2yY9wFPizqfDkJ1NRfo4=; b=mIao3qqNHE1xPJMYHfH27fdiDWz3o5SD2rdQXqTUCOK8V5GghavG8sOBChbQeES6l+ CmAQhvr/1mtYgQ1Jbsd1wXdWGYUIit6EXZSzjpW0r2Am1PDhcYy0N+hpzm4Dehk4Hofg T4PyTkTpkek3uJp7ARld953BJlvVU0SfZanaWX8eT6PEAsCiPQban4vwdIUSWRm4eWto ZJSYtaLAE6uEtTP7epSgygctUMlj5NuqPB2a0bYTtqRH2RPeCEeoRiW/YnXe2WYeZjD8 HKKFO70M+jUL+iE7pDb0JeNVWrbh05mHzc935PDgftTPZgtd7jedTE1+qj0HKbaRCZwN Sqgw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20210112 header.b=DWS8JGbe; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id i22-20020a1709064fd600b006df76385bb8si380287ejw.88.2022.05.17.14.00.41; Tue, 17 May 2022 14:01:34 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20210112 header.b=DWS8JGbe; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1352625AbiEQTSu (ORCPT + 99 others); Tue, 17 May 2022 15:18:50 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:46082 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S243528AbiEQTSt (ORCPT ); Tue, 17 May 2022 15:18:49 -0400 Received: from mail-lj1-x22c.google.com (mail-lj1-x22c.google.com [IPv6:2a00:1450:4864:20::22c]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 7567C2B1AA for ; Tue, 17 May 2022 12:18:48 -0700 (PDT) Received: by mail-lj1-x22c.google.com with SMTP id h8so2207819ljb.6 for ; Tue, 17 May 2022 12:18:48 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=D5jj0hfLXwv5NKyNSQq0cQn2yY9wFPizqfDkJ1NRfo4=; b=DWS8JGbeisC2lfPyrlCGUuKBIImqL9gH6ppVO68WrJgbfUd00qzpdFdZeABq8H1Cez vWssXOe3XUjdUiD2vlMOtRDrmEG4B92Jn7mMc/CviQG5KMn+8oNwdPvL8Ddb9+l0M2cs BzBS23a7oF/gqPt2lAyKlkLkCFGhnDTM4a3YcDU9Cxa9o8rlSeF1+zug8d+Q5kyVBHbx DvEyKgOi2zODODUrpgOvz2IXM1nLcuS6NaXz0p648/YbZoJdtu9oNT5B5gNpClEgJa7i RwSNOSovVQeDIlnnGKxBJn5h0LnmQilHewAEtGVdx7HvVRbI3kOs8TmbYLEmHXv5TKYH R4+Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=D5jj0hfLXwv5NKyNSQq0cQn2yY9wFPizqfDkJ1NRfo4=; b=UYdrJjxBpxjfMCREOKZ1Sf9dXBchksSPKF+gzQ2PC5wTwoQSaDuZV4PnpygRAkz5U8 /ML8dMsGenelK5k1Mxv0EVA7ZEjpisHRlMuGONNC1sANPi8R0QHuJZ2TdCUL2pTZahcW wh6CLbmkoDpedeGcl1i3GnEKcFudfyZy6cpqWVqQiAZvaAudLxNfFMxawheyKVn5xE+q qtx4LjbP3O118oet1gq04VCrPtVL712GApj5W+K+yho2acF78rL9snU+QeoGcy51KMvy XuA+M66U8cuSBDSGcAAKcFStKgBb8N0WsUsyxGa481mVyIkqLOOt/EJxEd7iF9CXeniA TY9Q== X-Gm-Message-State: AOAM532mhtfliwiVA4+VLa4TKmAQf8DSknMvsvn7bjGtLYMRtcOR+dyZ bbGT9tkdthC2XXWKLaAUIRYOnGbRqt9aPQQ4lUBaHQ== X-Received: by 2002:a2e:944a:0:b0:24f:10bd:b7e8 with SMTP id o10-20020a2e944a000000b0024f10bdb7e8mr15214538ljh.238.1652815126626; Tue, 17 May 2022 12:18:46 -0700 (PDT) MIME-Version: 1.0 References: <20220517185817.598872-1-cmllamas@google.com> In-Reply-To: <20220517185817.598872-1-cmllamas@google.com> From: Todd Kjos Date: Tue, 17 May 2022 12:18:34 -0700 Message-ID: Subject: Re: [PATCH] binder: fix potential UAF of target_{proc,thread} To: Carlos Llamas Cc: Greg Kroah-Hartman , =?UTF-8?B?QXJ2ZSBIasO4bm5ldsOlZw==?= , Todd Kjos , Martijn Coenen , Christian Brauner , Joel Fernandes , Hridya Valsaraju , Suren Baghdasaryan , kernel-team@android.com, linux-kernel@vger.kernel.org, Dan Carpenter Content-Type: text/plain; charset="UTF-8" X-Spam-Status: No, score=-17.6 required=5.0 tests=BAYES_00,DKIMWL_WL_MED, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF, ENV_AND_HDR_SPF_MATCH,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS, T_SCC_BODY_TEXT_LINE,USER_IN_DEF_DKIM_WL,USER_IN_DEF_SPF_WL autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, May 17, 2022 at 11:58 AM Carlos Llamas wrote: > > Commit 9474be34a727 ("binder: add failed transaction logging info") > dereferences target_{proc,thread} after they have been potentially > freed by binder_proc_dec_tmpref() and binder_thread_dec_tmpref(). > > This patch delays the release of the two references after their last > usage. Fixes the following two errors reported by smatch: > > drivers/android/binder.c:3562 binder_transaction() error: dereferencing freed memory 'target_proc' > drivers/android/binder.c:3563 binder_transaction() error: dereferencing freed memory 'target_thread' > > Fixes: 9474be34a727 ("binder: add failed transaction logging info") > Reported-by: Dan Carpenter > Signed-off-by: Carlos Llamas Acked-by: Todd Kjos > --- > drivers/android/binder.c | 9 +++++---- > 1 file changed, 5 insertions(+), 4 deletions(-) > > diff --git a/drivers/android/binder.c b/drivers/android/binder.c > index d9253b2a7bd9..83facfa1a5c3 100644 > --- a/drivers/android/binder.c > +++ b/drivers/android/binder.c > @@ -3546,10 +3546,6 @@ static void binder_transaction(struct binder_proc *proc, > err_empty_call_stack: > err_dead_binder: > err_invalid_target_handle: > - if (target_thread) > - binder_thread_dec_tmpref(target_thread); > - if (target_proc) > - binder_proc_dec_tmpref(target_proc); > if (target_node) { > binder_dec_node(target_node, 1, 0); > binder_dec_node_tmpref(target_node); > @@ -3565,6 +3561,11 @@ static void binder_transaction(struct binder_proc *proc, > (u64)tr->data_size, (u64)tr->offsets_size, > return_error_line); > > + if (target_thread) > + binder_thread_dec_tmpref(target_thread); > + if (target_proc) > + binder_proc_dec_tmpref(target_proc); > + > { > struct binder_transaction_log_entry *fe; > > -- > 2.36.0.550.gb090851708-goog >