lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <1432854511-33320-8-git-send-email-riandrews@android.com>
Date:	Thu, 28 May 2015 16:08:25 -0700
From:	Riley Andrews <riandrews@...roid.com>
To:	linux-kernel@...r.kernel.org,
	Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
	Arve Hjønnevåg <arve@...roid.com>,
	Riley Andrews <riandrews@...roid.com>,
	devel@...verdev.osuosl.org
Subject: [PATCH 07/13] android: binder: add functions for manipulating transaction stack

Add helper functions for manipulating the transaction stack, and
for validating the transaction stack during binder transactions
and replies.

Signed-off-by: Riley Andrews <riandrews@...roid.com>
---
 drivers/android/binder.c | 126 +++++++++++++++++++++++++++++------------------
 1 file changed, 79 insertions(+), 47 deletions(-)

diff --git a/drivers/android/binder.c b/drivers/android/binder.c
index 99a3270..ed94121 100644
--- a/drivers/android/binder.c
+++ b/drivers/android/binder.c
@@ -1167,14 +1167,20 @@ static int binder_dec_ref(struct binder_ref *ref, int strong)
 	return 0;
 }
 
+static void binder_push_transaction(struct binder_thread *thread,
+				    struct binder_transaction *t)
+{
+	t->from_parent = thread->transaction_stack;
+	thread->transaction_stack = t;
+}
+
 static void binder_pop_transaction(struct binder_thread *target_thread,
 				   struct binder_transaction *t)
 {
 	if (target_thread) {
 		BUG_ON(target_thread->transaction_stack != t);
 		BUG_ON(target_thread->transaction_stack->from != target_thread);
-		target_thread->transaction_stack =
-			target_thread->transaction_stack->from_parent;
+		target_thread->transaction_stack = t->from_parent;
 		t->from = NULL;
 	}
 	t->need_reply = 0;
@@ -1184,6 +1190,24 @@ static void binder_pop_transaction(struct binder_thread *target_thread,
 	binder_stats_deleted(BINDER_STAT_TRANSACTION);
 }
 
+static void binder_dst_save_transaction(struct binder_thread *thread,
+					struct binder_transaction *t)
+{
+	t->to_parent = thread->transaction_stack;
+	thread->transaction_stack = t;
+}
+
+static struct binder_transaction *
+binder_dst_restore_transaction(struct binder_thread *thread)
+{
+	struct binder_transaction *t = thread->transaction_stack;
+
+	if (!t)
+		return NULL;
+	thread->transaction_stack = t->to_parent;
+	return t;
+}
+
 static void binder_send_failed_reply(struct binder_transaction *t,
 				     uint32_t error_code)
 {
@@ -1559,6 +1583,47 @@ static int binder_get_tr_target_node(struct binder_thread *thread,
 	return BR_OK;
 }
 
+static int binder_reply_validate_stack(struct binder_thread *thread)
+{
+	struct binder_proc *proc = thread->proc;
+	struct binder_transaction *in_reply_to = NULL;
+
+	in_reply_to = thread->transaction_stack;
+	if (!in_reply_to) {
+		binder_user_error("%d:%d got reply transaction with no transaction stack\n",
+				  proc->pid, thread->pid);
+		return BR_FAILED_REPLY;
+	}
+	if (in_reply_to->to_thread != thread) {
+		binder_user_error("%d:%d got reply transaction with bad transaction stack, transaction %d has target %d:%d\n",
+				  proc->pid, thread->pid, in_reply_to->debug_id,
+				  in_reply_to->to_proc ?
+				  in_reply_to->to_proc->pid : 0,
+				  in_reply_to->to_thread ?
+				  in_reply_to->to_thread->pid : 0);
+		return BR_FAILED_REPLY;
+	}
+	return BR_OK;
+}
+
+static int binder_tr_validate_stack(struct binder_thread *thread)
+{
+	struct binder_transaction *prior = thread->transaction_stack;
+	struct binder_proc *proc = thread->proc;
+
+	if (prior->to_thread != thread) {
+		binder_user_error("%d:%d got new transaction with bad transaction stack, transaction %d has target %d:%d\n",
+				  proc->pid, thread->pid,
+				  prior->debug_id,
+				  prior->to_proc ?
+				  prior->to_proc->pid : 0,
+				  prior->to_thread ?
+				  prior->to_thread->pid : 0);
+		return BR_FAILED_REPLY;
+	}
+	return BR_OK;
+}
+
 static void binder_transaction(struct binder_thread *thread,
 			       struct binder_transaction_data *tr, int reply)
 {
@@ -1584,42 +1649,17 @@ static void binder_transaction(struct binder_thread *thread,
 	e->offsets_size = tr->offsets_size;
 
 	if (reply) {
-		in_reply_to = thread->transaction_stack;
-		if (in_reply_to == NULL) {
-			binder_user_error("%d:%d got reply transaction with no transaction stack\n",
-					  proc->pid, thread->pid);
-			return_error = BR_FAILED_REPLY;
-			goto err_empty_call_stack;
-		}
-		binder_set_nice(in_reply_to->saved_priority);
-		if (in_reply_to->to_thread != thread) {
-			binder_user_error("%d:%d got reply transaction with bad transaction stack, transaction %d has target %d:%d\n",
-				proc->pid, thread->pid, in_reply_to->debug_id,
-				in_reply_to->to_proc ?
-				in_reply_to->to_proc->pid : 0,
-				in_reply_to->to_thread ?
-				in_reply_to->to_thread->pid : 0);
-			return_error = BR_FAILED_REPLY;
-			in_reply_to = NULL;
+		return_error = binder_reply_validate_stack(thread);
+		if (return_error != BR_OK)
 			goto err_bad_call_stack;
-		}
-		thread->transaction_stack = in_reply_to->to_parent;
+		in_reply_to = binder_dst_restore_transaction(thread);
+		binder_set_nice(in_reply_to->saved_priority);
 		target_thread = in_reply_to->from;
-		if (target_thread == NULL) {
+		if (!target_thread) {
 			return_error = BR_DEAD_REPLY;
 			goto err_dead_binder;
 		}
-		if (target_thread->transaction_stack != in_reply_to) {
-			binder_user_error("%d:%d got reply transaction with bad target transaction stack %d, expected %d\n",
-				proc->pid, thread->pid,
-				target_thread->transaction_stack ?
-				target_thread->transaction_stack->debug_id : 0,
-				in_reply_to->debug_id);
-			return_error = BR_FAILED_REPLY;
-			in_reply_to = NULL;
-			target_thread = NULL;
-			goto err_dead_binder;
-		}
+		BUG_ON(target_thread->transaction_stack != in_reply_to);
 		target_proc = target_thread->proc;
 	} else {
 		return_error = binder_get_tr_target_node(thread, tr,
@@ -1640,16 +1680,11 @@ static void binder_transaction(struct binder_thread *thread,
 		if (!(tr->flags & TF_ONE_WAY) && thread->transaction_stack) {
 			struct binder_transaction *tmp;
 
-			tmp = thread->transaction_stack;
-			if (tmp->to_thread != thread) {
-				binder_user_error("%d:%d got new transaction with bad transaction stack, transaction %d has target %d:%d\n",
-					proc->pid, thread->pid, tmp->debug_id,
-					tmp->to_proc ? tmp->to_proc->pid : 0,
-					tmp->to_thread ?
-					tmp->to_thread->pid : 0);
-				return_error = BR_FAILED_REPLY;
+			return_error = binder_tr_validate_stack(thread);
+			if (return_error != BR_OK)
 				goto err_bad_call_stack;
-			}
+
+			tmp = thread->transaction_stack;
 			while (tmp) {
 				if (tmp->from && tmp->from->proc == target_proc)
 					target_thread = tmp->from;
@@ -1755,8 +1790,7 @@ static void binder_transaction(struct binder_thread *thread,
 	} else if (!(t->flags & TF_ONE_WAY)) {
 		BUG_ON(t->buffer->async_transaction != 0);
 		t->need_reply = 1;
-		t->from_parent = thread->transaction_stack;
-		thread->transaction_stack = t;
+		binder_push_transaction(thread, t);
 	} else {
 		BUG_ON(target_node == NULL);
 		BUG_ON(t->buffer->async_transaction != 1);
@@ -1786,7 +1820,6 @@ err_alloc_tcomplete_failed:
 	binder_stats_deleted(BINDER_STAT_TRANSACTION);
 err_alloc_t_failed:
 err_bad_call_stack:
-err_empty_call_stack:
 err_dead_binder:
 err_invalid_target_handle:
 	binder_debug(BINDER_DEBUG_FAILED_TRANSACTION,
@@ -2579,9 +2612,8 @@ retry:
 		list_del(&t->work.entry);
 		t->buffer->allow_user_free = 1;
 		if (cmd == BR_TRANSACTION && !(t->flags & TF_ONE_WAY)) {
-			t->to_parent = thread->transaction_stack;
 			t->to_thread = thread;
-			thread->transaction_stack = t;
+			binder_dst_save_transaction(thread, t);
 		} else {
 			t->buffer->transaction = NULL;
 			kfree(t);
-- 
2.2.0.rc0.207.ga3a616c

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ