diff options
| author | Todd Kjos | 2018-12-15 00:58:21 +0100 |
|---|---|---|
| committer | Greg Kroah-Hartman | 2018-12-19 09:40:13 +0100 |
| commit | 80cd795630d6526ba729a089a435bf74a57af927 (patch) | |
| tree | bc1d2b779bf5e506c66f96ee2210101c17652b59 /drivers/android/binder_internal.h | |
| parent | Merge tag 'extcon-next-for-4.21' of git://git.kernel.org/pub/scm/linux/kernel... (diff) | |
| download | kernel-qcow2-linux-80cd795630d6526ba729a089a435bf74a57af927.tar.gz kernel-qcow2-linux-80cd795630d6526ba729a089a435bf74a57af927.tar.xz kernel-qcow2-linux-80cd795630d6526ba729a089a435bf74a57af927.zip | |
binder: fix use-after-free due to ksys_close() during fdget()
44d8047f1d8 ("binder: use standard functions to allocate fds")
exposed a pre-existing issue in the binder driver.
fdget() is used in ksys_ioctl() as a performance optimization.
One of the rules associated with fdget() is that ksys_close() must
not be called between the fdget() and the fdput(). There is a case
where this requirement is not met in the binder driver which results
in the reference count dropping to 0 when the device is still in
use. This can result in use-after-free or other issues.
If userpace has passed a file-descriptor for the binder driver using
a BINDER_TYPE_FDA object, then kys_close() is called on it when
handling a binder_ioctl(BC_FREE_BUFFER) command. This violates
the assumptions for using fdget().
The problem is fixed by deferring the close using task_work_add(). A
new variant of __close_fd() was created that returns a struct file
with a reference. The fput() is deferred instead of using ksys_close().
Fixes: 44d8047f1d87a ("binder: use standard functions to allocate fds")
Suggested-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Todd Kjos <tkjos@google.com>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Diffstat (limited to 'drivers/android/binder_internal.h')
0 files changed, 0 insertions, 0 deletions