• Todd Kjos's avatar
    binder: fix race that allows malicious free of live buffer · fd6cc33d
    Todd Kjos authored
    commit 7bada55a upstream.
    
    Malicious code can attempt to free buffers using the BC_FREE_BUFFER
    ioctl to binder. There are protections against a user freeing a buffer
    while in use by the kernel, however there was a window where
    BC_FREE_BUFFER could be used to free a recently allocated buffer that
    was not completely initialized. This resulted in a use-after-free
    detected by KASAN with a malicious test program.
    
    This window is closed by setting the buffer's allow_user_free attribute
    to 0 when the buffer is allocated or when the user has previously freed
    it instead of waiting for the caller to set it. The problem was that
    when the struct buffer was recycled, allow_user_free was stale and set
    to 1 allowing a free to go through.
    Signed-off-by: default avatarTodd Kjos <tkjos@google.com>
    Acked-by: default avatarArve Hjønnevåg <arve@android.com>
    Cc: stable <stable@vger.kernel.org> # 4.14
    Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
    
    fd6cc33d
binder_alloc.c 27.6 KB