UPSTREAM: binder: fix race that allows malicious free of live buffer
authorTodd Kjos <tkjos@android.com>
Tue, 6 Nov 2018 23:55:32 +0000 (15:55 -0800)
committerDanny Wood <danwood76@gmail.com>
Fri, 8 Nov 2019 12:03:13 +0000 (12:03 +0000)
commit03c0215f2e668ac802ffc440e5ac6a8f53080ae4
tree02ddfd4f6cf1cbee28b60158273bfbe2808771ad
parent413aefe79ac9f8b9a3bf719bbac598c474189873
UPSTREAM: binder: fix race that allows malicious free of live buffer

commit 7bada55ab50697861eee6bb7d60b41e68a961a9c upstream

Malicious code can attempt to free buffers using the BC_FREE_BUFFER
ioctl to binder. There are protections against a user freeing a buffer
while in use by the kernel, however there was a window where
BC_FREE_BUFFER could be used to free a recently allocated buffer that
was not completely initialized. This resulted in a use-after-free
detected by KASAN with a malicious test program.

This window is closed by setting the buffer's allow_user_free attribute
to 0 when the buffer is allocated or when the user has previously freed
it instead of waiting for the caller to set it. The problem was that
when the struct buffer was recycled, allow_user_free was stale and set
to 1 allowing a free to go through.

Bug: 116855682
Change-Id: I0b38089f6fdb1adbf7e1102747e4119c9a05b191
Signed-off-by: Todd Kjos <tkjos@google.com>
Acked-by: Arve Hjønnevåg <arve@android.com>
Cc: stable <stable@vger.kernel.org> # 4.14
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
drivers/android/binder.c
drivers/android/binder_alloc.c
drivers/android/binder_alloc.h