linux_dsm_epyc7002/drivers/android
Todd Kjos 512cf465ee binder: fix use-after-free in binder_transaction()
User-space normally keeps the node alive when creating a transaction
since it has a reference to the target. The local strong ref keeps it
alive if the sending process dies before the target process processes
the transaction. If the source process is malicious or has a reference
counting bug, this can fail.

In this case, when we attempt to decrement the node in the failure
path, the node has already been freed.

This is fixed by taking a tmpref on the node while constructing
the transaction. To avoid re-acquiring the node lock and inner
proc lock to increment the proc's tmpref, a helper is used that
does the ref increments on both the node and proc.

Signed-off-by: Todd Kjos <tkjos@google.com>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2017-10-04 11:25:10 +02:00
..
binder_alloc_selftest.c android: binder: Add global lru shrinker to binder 2017-08-28 16:47:17 +02:00
binder_alloc.c android: binder: Add page usage in binder stats 2017-09-01 08:53:32 +02:00
binder_alloc.h android: binder: Add page usage in binder stats 2017-09-01 08:53:32 +02:00
binder_trace.h android: binder: Add shrinker tracepoints 2017-08-28 16:47:17 +02:00
binder.c binder: fix use-after-free in binder_transaction() 2017-10-04 11:25:10 +02:00
Kconfig android: binder: Add allocator selftest 2017-08-28 16:47:17 +02:00
Makefile android: binder: Add allocator selftest 2017-08-28 16:47:17 +02:00