binder: binder: fix possible UAF when freeing buffer
There is a race between the binder driver cleaning
up a completed transaction via binder_free_transaction()
and a user calling binder_ioctl(BC_FREE_BUFFER) to
release a buffer. It doesn't matter which is first but
they need to be protected against running concurrently
which can result in a UAF.
Mot-CRs-fixed: (CR)
CVE-Fixed: CVE-2019-2213
Bug:
133758011
The following revert is needed to apply the correct patch, hence
reverting
Revert "[RAMEN9610-20513]binder: fix possible UAF when freeing buffer"
This reverts commit
e114db7c075820499ae09168cbc5b14786a552b8.
Signed-off-by: Todd Kjos <tkjos@google.com>
Signed-off-by: Jignesh Patel <jignesh@motorola.com>
Change-Id: Ife23f7a2178678252a2f68c6a64c0800a621110f
Reviewed-on: https://gerrit.mot.com/
1434961
SME-Granted: SME Approvals Granted
SLTApproved: Slta Waiver
Tested-by: Jira Key
Reviewed-by: Xiangpo Zhao <zhaoxp3@motorola.com>
Submit-Approved: Jira Key
Reviewed-on: https://gerrit.mot.com/
1456141
Reviewed-by: Varun Shrivastava <varunshrivastava@motorola.com>
Reviewed-by: Sindhu C <a12924@motorola.com>
SLTApproved: Sindhu C <a12924@motorola.com>
Tested-by: Anandappan ChakRavarthy <pjwt34@motorola.com>
projects / GitHub / MotorolaMobilityLLC / kernel-slsi.git / commit