Received: by 2002:a6b:500f:0:0:0:0:0 with SMTP id e15csp144765iob; Tue, 17 May 2022 21:45:57 -0700 (PDT) X-Google-Smtp-Source: ABdhPJykQXtiIUpWA5Z28fw41TwR/Pq9tzDIE5djrR9AWbVKRjJCLXX8o8A+OaaL+Joi/N0g45tP X-Received: by 2002:a17:90a:e392:b0:1df:b078:8dbe with SMTP id b18-20020a17090ae39200b001dfb0788dbemr1534674pjz.105.1652849157336; Tue, 17 May 2022 21:45:57 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1652849157; cv=none; d=google.com; s=arc-20160816; b=XjkOfLjOJAdO2d/t+ACcEtylNHSVLOMRny/FuvTYqIEnZ9tevGs61emyosiDHw+vZZ o/ZCzSuUS147B5GSDwbSkizb1mlPNesKSjNryJURExA3i/i/7Qtk/SlucscMJvfGNm+6 1rZzgd/VvRNyv8kZSNrqEEp1oin1PReO7gZlD2x16oceXOtq8Gk9CRpRm/F96jz32ssr tY+GO45CBQ77ShO4DYmrfrIXgXey6vDwkUEIkg751JvnsDjKhnoVeIYrZUUfbdUA4FHM PqVMPZid2vS+sVGpNbBrZAnSwCiCnVnyaXYHLgKcZv36qx2LS6F30ZlLJtjMIkVYkA85 yMjg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:from:subject:mime-version:message-id:date :dkim-signature; bh=yU9tmGFK0DAjJ+sFRZSLbkdZAIbxizXFIoBzmHvbAd8=; b=qJe2jUfPwbNZMKKkYWqV4kVQC7WSeMFJQKK7yrmpZq3j+E1fgi26pUWAtkeGQWR7Vn kjdMDytt6xTNVKWpeJp5Ltk5fxD76sX27vVXB8NkpFglAiUSvCGPkQ4zVfQ9h/pZIc5q PDHkwtQz/2onw4esi8Q9KXKkV4ij69skV/ZbTYJMo4MhctGKXXczLOct1YLeV2RlGXK2 MfX8VlCixDYHymrKLIXCor9sBVzJ56BPTndDyBnbfnUgDnT6pyotNZJsyIk2LFqLwuTw PqBI8cDB6KmmiX4KqNAO5gw0pZLITT0sulF6G9O1i66Zc/HrRp1hTXczMiMDmvmK27iD ggNQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20210112 header.b=ro9kOBJB; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [2620:137:e000::1:18]) by mx.google.com with ESMTPS id f80-20020a623853000000b0050d2a9a54f4si1537093pfa.372.2022.05.17.21.45.56 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 17 May 2022 21:45:57 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) client-ip=2620:137:e000::1:18; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20210112 header.b=ro9kOBJB; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id 12716F1343; Tue, 17 May 2022 20:57:59 -0700 (PDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1352418AbiEQS6a (ORCPT + 99 others); Tue, 17 May 2022 14:58:30 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:55220 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S235712AbiEQS6Z (ORCPT ); Tue, 17 May 2022 14:58:25 -0400 Received: from mail-pl1-x64a.google.com (mail-pl1-x64a.google.com [IPv6:2607:f8b0:4864:20::64a]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id A0A5050053 for ; Tue, 17 May 2022 11:58:23 -0700 (PDT) Received: by mail-pl1-x64a.google.com with SMTP id h10-20020a170902748a00b00161b9277a4aso481904pll.2 for ; Tue, 17 May 2022 11:58:23 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=date:message-id:mime-version:subject:from:to:cc; bh=yU9tmGFK0DAjJ+sFRZSLbkdZAIbxizXFIoBzmHvbAd8=; b=ro9kOBJBoB0wOHV7iVL+OeWwjl7dZn6RzjvKM/v3a4JL6QmD004h1XzuJR21n0BoTo jdGpzzY6i+xxNx6iVKUG6kHDLOgURgspNkZrsT1qHvYjPUyrhfaA4bIzhRkFPf3hKSwv By5EyXkLr+UZ6w6x0MbB6cD9nHdyJn5zhyqbVLMj6nFFNMqzxVefbTvoxGECgGeEp5X2 EazjYSahFUnuPzHMi9Lp8VZzn2G3td6uuV+AQVCsJ5Cluj5Frxb+hmFB2c+LHFUENfiW e/qr5dBVY37IVxy7g4LKVdPJAUYfkv7kS0BQOuQC13xnN8++KZ/l+a3m78k4bN2iSyF2 lBQQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:date:message-id:mime-version:subject:from:to:cc; bh=yU9tmGFK0DAjJ+sFRZSLbkdZAIbxizXFIoBzmHvbAd8=; b=gqK4wRj/sa6Ia+DQusBPYa5HTiphVGXaeaBmnK7C3UmA/eULAmHHKwScGZmIDOV6bc /KcEyLI/vB/cMF0j7ZuFuR7tKoA1Y9z8KaOChzXY4XxOJYyz4yPFtx49Oz+trwvGZ8mC IcGYYgDnSkkzDKxCzqkju9+2xSME84J629aG6fLdfJEvK2amCzc9zPF48StFz+z12phI YwLlVwtxoRWKdfFQbWRJi+nXip3mv9o6BNsgQliHOR7ycaYzBBzcy+hFBl3xYorCqSv8 mYte+yzpM4Yh2btj4aPihV76k54JWmbr0/sheTC/ht9Un33Jvr7VH9bIh32dm9MpVDpE 6AMg== X-Gm-Message-State: AOAM533340fbVnLXdS+h+HJkzYy8mSq2YW4hklmQ6IN7nLo8X/2ql+Gx xo6Su6A1zJ98Cv2LQmdqlnWLUIpBGrf40g== X-Received: from zllamas.c.googlers.com ([fda3:e722:ac3:cc00:24:72f4:c0a8:4c]) (user=cmllamas job=sendgmr) by 2002:a05:6a00:bd9:b0:50e:dad:b285 with SMTP id x25-20020a056a000bd900b0050e0dadb285mr23893799pfu.40.1652813903039; Tue, 17 May 2022 11:58:23 -0700 (PDT) Date: Tue, 17 May 2022 18:58:17 +0000 Message-Id: <20220517185817.598872-1-cmllamas@google.com> Mime-Version: 1.0 X-Mailer: git-send-email 2.36.0.550.gb090851708-goog Subject: [PATCH] binder: fix potential UAF of target_{proc,thread} From: Carlos Llamas To: Greg Kroah-Hartman , "=?UTF-8?q?Arve=20Hj=C3=B8nnev=C3=A5g?=" , Todd Kjos , Martijn Coenen , Christian Brauner Cc: Joel Fernandes , Hridya Valsaraju , Suren Baghdasaryan , kernel-team@android.com, linux-kernel@vger.kernel.org, Dan Carpenter , Carlos Llamas Content-Type: text/plain; charset="UTF-8" X-Spam-Status: No, score=-9.5 required=5.0 tests=BAYES_00,DKIMWL_WL_MED, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,RDNS_NONE,SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE, USER_IN_DEF_DKIM_WL autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Commit 9474be34a727 ("binder: add failed transaction logging info") dereferences target_{proc,thread} after they have been potentially freed by binder_proc_dec_tmpref() and binder_thread_dec_tmpref(). This patch delays the release of the two references after their last usage. Fixes the following two errors reported by smatch: drivers/android/binder.c:3562 binder_transaction() error: dereferencing freed memory 'target_proc' drivers/android/binder.c:3563 binder_transaction() error: dereferencing freed memory 'target_thread' Fixes: 9474be34a727 ("binder: add failed transaction logging info") Reported-by: Dan Carpenter Signed-off-by: Carlos Llamas --- drivers/android/binder.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/drivers/android/binder.c b/drivers/android/binder.c index d9253b2a7bd9..83facfa1a5c3 100644 --- a/drivers/android/binder.c +++ b/drivers/android/binder.c @@ -3546,10 +3546,6 @@ static void binder_transaction(struct binder_proc *proc, err_empty_call_stack: err_dead_binder: err_invalid_target_handle: - if (target_thread) - binder_thread_dec_tmpref(target_thread); - if (target_proc) - binder_proc_dec_tmpref(target_proc); if (target_node) { binder_dec_node(target_node, 1, 0); binder_dec_node_tmpref(target_node); @@ -3565,6 +3561,11 @@ static void binder_transaction(struct binder_proc *proc, (u64)tr->data_size, (u64)tr->offsets_size, return_error_line); + if (target_thread) + binder_thread_dec_tmpref(target_thread); + if (target_proc) + binder_proc_dec_tmpref(target_proc); + { struct binder_transaction_log_entry *fe; -- 2.36.0.550.gb090851708-goog