Received: by 10.223.164.202 with SMTP id h10csp1946513wrb; Mon, 27 Nov 2017 09:35:07 -0800 (PST) X-Google-Smtp-Source: AGs4zMbcke0apsx5eGFMpUoG08Ul1yXuvNKAFT+7mmPqc4hLtxEo8DgInl59CTJb1RlYNsndE8O0 X-Received: by 10.84.130.98 with SMTP id 89mr39896705plc.232.1511804107872; Mon, 27 Nov 2017 09:35:07 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1511804107; cv=none; d=google.com; s=arc-20160816; b=VvXIV1Y6F2AsNKvstVfVcEmrb5xPfHfDjPS7PL1whLA9xerRssijzenzfwtr/ItPDP a2YRW/WeDfDYP+HqNYKwuB+OHZCa8/Bcq7zQEzOb1NZNT90BaMZDMI9Qg03B52LIMm71 aJwqekoMbJCtK2JGX3bgCFrSKzUr3wCLBMte+Q7yVBLjgi6I3KtwtGq9qwcy8StnORYz 1arGKNlJjPKbYUglwl8WhUuqQkXy9W+vGmz8Bpt38Q1W9ST6w9XY0UGVx9H9Emd1Pc/Y NK8tbfuyKqB+dCWaHl/V7Rfweo071WynLDR7Uh823H6cn0JOyjTotrGaN+9eijPImFiB /YTQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:date:subject:to:from :dkim-signature:arc-authentication-results; bh=aV31xIoDDi9EWlYsVYF6HFvpW6M9ncewor4PNTUabN4=; b=vSJ0+6uEAZ98s797+N3CYsTsOn3HU+qfXV4qCAlGUPjuyBbkzZIOilHVV9dV7a2JXs vvnxZGdw4TvO2VwwahB4jUM+BsaxOrFt/GVrOKx6/e0kYh1t1pIg8JX69fVwoPCaRgQx SrTJvHxb/LJi1kOPms01/LAJepnuW5gL8QTAroWhzlMPjlFU7hyNF1ig1KZkisRrbIG4 vHyYYAL2RnCIh/GO8m5HxjYao6lGkvoMX1pHTeFFRL6D8mpMJaamzvIv9NWImnojAL+c 7NmRsH9gruZBouAxxoWzObgTnMjgg1DT7eWmRrvraBi8u8TE4Jhid2t6/YIrVESAfeiS rfbg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@android.com header.s=20161025 header.b=f6EujBGC; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=android.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id e7si23588308plk.168.2017.11.27.09.34.55; Mon, 27 Nov 2017 09:35:07 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@android.com header.s=20161025 header.b=f6EujBGC; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=android.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753973AbdK0Rcw (ORCPT + 78 others); Mon, 27 Nov 2017 12:32:52 -0500 Received: from mail-it0-f68.google.com ([209.85.214.68]:38575 "EHLO mail-it0-f68.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753009AbdK0Rct (ORCPT ); Mon, 27 Nov 2017 12:32:49 -0500 Received: by mail-it0-f68.google.com with SMTP id n134so22271457itg.3 for ; Mon, 27 Nov 2017 09:32:49 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=android.com; s=20161025; h=from:to:subject:date:message-id; bh=aV31xIoDDi9EWlYsVYF6HFvpW6M9ncewor4PNTUabN4=; b=f6EujBGCg54tbprmuB25ISdiDJyZyg8jYKlPVLETWYy6De06b8KkuyaSIMJV1t9/mV JUfmy5pUoY2NOYpYn1Qf40UnZ+8BMt6GNi2/jJcJI+qRxTMdqmjdU+biguu8idoPfAwZ OAPsP0d4vpkR6E4LW+2QiZ8GzNqFTkDlGBRkH0AL+QdCGgERF0SYhJr62F2nTmI71J/M ibpKd7NRsFzdsuCjx4poONokSYycR+/rOcoY35E71Qc4Bg1ttFVdytbCh26hq4AQWsUn GOR33x3AWfRnlboBOv9+BaOMEMCNCMjC18A0lpvIl/zWRTa2ZbWmMfBVwXo/XO/2FgME hRGw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:subject:date:message-id; bh=aV31xIoDDi9EWlYsVYF6HFvpW6M9ncewor4PNTUabN4=; b=FNexH5wvUOm+dlVyPovwYALQszzRo3Valr9AexSymHRLMmXnnL5t4K83lGIwHHYDU1 /JwE9bwQA8a5S6Ia+Tm650Jt+ULs+8zTG4PbJca7FQZnFzm7M6FnjbkO6ghnOUGZYt4k s5sTK66geImfb4fnftXKJVaHtVLFZ5e92ovsZx95nLFbe7iIy6r2Af5Ge34/L/L87MKO u3UDkK4PsQANemoVIAo/+/7u+oB54vynxK6Wbx4EgMMaY39O/i1Y7cdQcqWw8Csuo/7R +3LkY4fgO5j6Ok3FewDYZVlt2lGVfHGonOM3EkM3aVKnURIb2BeFMXoGroFa/QqhDs3U ti7Q== X-Gm-Message-State: AJaThX7UGgDsIm35hrEZ1cCf8rs+g3BHHSgSn6QQ9Mf1j3aOBjUEKsHE IQ0vCC6YDaunwDKmICp+t8iRxw== X-Received: by 10.36.108.83 with SMTP id w80mr5726213itb.3.1511803969259; Mon, 27 Nov 2017 09:32:49 -0800 (PST) Received: from ava-linux.mtv.corp.google.com ([2620:0:1000:1601:b54f:d6ef:4ed5:e794]) by smtp.googlemail.com with ESMTPSA id r142sm5103182ior.82.2017.11.27.09.32.48 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 27 Nov 2017 09:32:48 -0800 (PST) From: Todd Kjos X-Google-Original-From: Todd Kjos To: tkjos@google.com, gregkh@linuxfoundation.org, arve@android.com, devel@driverdev.osuosl.org, linux-kernel@vger.kernel.org, maco@google.com, viro@zeniv.linux.org.uk Subject: [PATCH v3] binder: fix proc->files use-after-free Date: Mon, 27 Nov 2017 09:32:33 -0800 Message-Id: <20171127173233.21742-1-tkjos@google.com> X-Mailer: git-send-email 2.15.0.417.g466bffb3ac-goog Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org proc->files cleanup is initiated by binder_vma_close. Therefore a reference on the binder_proc is not enough to prevent the files_struct from being released while the binder_proc still has a reference. This can lead to an attempt to dereference the stale pointer obtained from proc->files prior to proc->files cleanup. This has been seen once in task_get_unused_fd_flags() when __alloc_fd() is called with a stale "files". The fix is to protect proc->files with a mutex to prevent cleanup while in use. Signed-off-by: Todd Kjos --- v2: declare binder_get_files_struct as static v3: rework to protect proc->files with a mutex instead of using get_files_struct Also needed in 4.14 drivers/android/binder.c | 44 +++++++++++++++++++++++++++++++------------- 1 file changed, 31 insertions(+), 13 deletions(-) diff --git a/drivers/android/binder.c b/drivers/android/binder.c index a73596a4f804..7c027ee61375 100644 --- a/drivers/android/binder.c +++ b/drivers/android/binder.c @@ -482,7 +482,8 @@ enum binder_deferred_state { * @tsk task_struct for group_leader of process * (invariant after initialized) * @files files_struct for process - * (invariant after initialized) + * (protected by @files_lock) + * @files_lock mutex to protect @files * @deferred_work_node: element for binder_deferred_list * (protected by binder_deferred_lock) * @deferred_work: bitmap of deferred work to perform @@ -530,6 +531,7 @@ struct binder_proc { int pid; struct task_struct *tsk; struct files_struct *files; + struct mutex files_lock; struct hlist_node deferred_work_node; int deferred_work; bool is_dead; @@ -877,20 +879,26 @@ static void binder_inc_node_tmpref_ilocked(struct binder_node *node); static int task_get_unused_fd_flags(struct binder_proc *proc, int flags) { - struct files_struct *files = proc->files; unsigned long rlim_cur; unsigned long irqs; + int ret; - if (files == NULL) - return -ESRCH; - - if (!lock_task_sighand(proc->tsk, &irqs)) - return -EMFILE; - + mutex_lock(&proc->files_lock); + if (proc->files == NULL) { + ret = -ESRCH; + goto err; + } + if (!lock_task_sighand(proc->tsk, &irqs)) { + ret = -EMFILE; + goto err; + } rlim_cur = task_rlimit(proc->tsk, RLIMIT_NOFILE); unlock_task_sighand(proc->tsk, &irqs); - return __alloc_fd(files, 0, rlim_cur, flags); + ret = __alloc_fd(proc->files, 0, rlim_cur, flags); +err: + mutex_unlock(&proc->files_lock); + return ret; } /* @@ -899,8 +907,10 @@ static int task_get_unused_fd_flags(struct binder_proc *proc, int flags) static void task_fd_install( struct binder_proc *proc, unsigned int fd, struct file *file) { + mutex_lock(&proc->files_lock); if (proc->files) __fd_install(proc->files, fd, file); + mutex_unlock(&proc->files_lock); } /* @@ -910,9 +920,11 @@ static long task_close_fd(struct binder_proc *proc, unsigned int fd) { int retval; - if (proc->files == NULL) - return -ESRCH; - + mutex_lock(&proc->files_lock); + if (proc->files == NULL) { + retval = -ESRCH; + goto err; + } retval = __close_fd(proc->files, fd); /* can't restart close syscall because file table entry was cleared */ if (unlikely(retval == -ERESTARTSYS || @@ -920,7 +932,8 @@ static long task_close_fd(struct binder_proc *proc, unsigned int fd) retval == -ERESTARTNOHAND || retval == -ERESTART_RESTARTBLOCK)) retval = -EINTR; - +err: + mutex_unlock(&proc->files_lock); return retval; } @@ -4605,7 +4618,9 @@ static int binder_mmap(struct file *filp, struct vm_area_struct *vma) ret = binder_alloc_mmap_handler(&proc->alloc, vma); if (ret) return ret; + mutex_lock(&proc->files_lock); proc->files = get_files_struct(current); + mutex_unlock(&proc->files_lock); return 0; err_bad_arg: @@ -4629,6 +4644,7 @@ static int binder_open(struct inode *nodp, struct file *filp) spin_lock_init(&proc->outer_lock); get_task_struct(current->group_leader); proc->tsk = current->group_leader; + mutex_init(&proc->files_lock); INIT_LIST_HEAD(&proc->todo); proc->default_priority = task_nice(current); binder_dev = container_of(filp->private_data, struct binder_device, @@ -4881,9 +4897,11 @@ static void binder_deferred_func(struct work_struct *work) files = NULL; if (defer & BINDER_DEFERRED_PUT_FILES) { + mutex_lock(&proc->files_lock); files = proc->files; if (files) proc->files = NULL; + mutex_unlock(&proc->files_lock); } if (defer & BINDER_DEFERRED_FLUSH) -- 2.15.0.417.g466bffb3ac-goog From 1585938485442150477@xxx Tue Dec 05 10:13:20 +0000 2017 X-GM-THRID: 1585938485442150477 X-Gmail-Labels: Inbox,Category Forums,HistoricalUnread