| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 30 Apr 2018 12:24:41 -0700
From: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To: linux-kernel@...r.kernel.org
Cc: Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
stable@...r.kernel.org,
syzbot+09e05aba06723a94d43d@...kaller.appspotmail.com,
Martijn Coenen <maco@...roid.com>
Subject: [PATCH 4.14 59/91] ANDROID: binder: prevent transactions into own process.
4.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Martijn Coenen <maco@...roid.com>
commit 7aa135fcf26377f92dc0680a57566b4c7f3e281b upstream.
This can't happen with normal nodes (because you can't get a ref
to a node you own), but it could happen with the context manager;
to make the behavior consistent with regular nodes, reject
transactions into the context manager by the process owning it.
Reported-by: syzbot+09e05aba06723a94d43d@...kaller.appspotmail.com
Signed-off-by: Martijn Coenen <maco@...roid.com>
Cc: stable <stable@...r.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
---
drivers/android/binder.c | 8 ++++++++
1 file changed, 8 insertions(+)
--- a/drivers/android/binder.c
+++ b/drivers/android/binder.c
@@ -2785,6 +2785,14 @@ static void binder_transaction(struct bi
else
return_error = BR_DEAD_REPLY;
mutex_unlock(&context->context_mgr_node_lock);
+ if (target_node && target_proc == proc) {
+ binder_user_error("%d:%d got transaction to context manager from process owning it\n",
+ proc->pid, thread->pid);
+ return_error = BR_FAILED_REPLY;
+ return_error_param = -EINVAL;
+ return_error_line = __LINE__;
+ goto err_invalid_target_handle;
+ }
}
if (!target_node) {
/*
Powered by blists - more mailing lists