lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <1432854511-33320-6-git-send-email-riandrews@android.com>
Date:	Thu, 28 May 2015 16:08:23 -0700
From:	Riley Andrews <riandrews@...roid.com>
To:	linux-kernel@...r.kernel.org,
	Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
	Arve Hjønnevåg <arve@...roid.com>,
	Riley Andrews <riandrews@...roid.com>,
	devel@...verdev.osuosl.org
Subject: [PATCH 05/13] android: binder: refactor binder_transact transaction buffer loop

Pull the loop that translates the flat_binder_objects into a separate
function, binder_transaction_buffer_acquire.

Signed-off-by: Riley Andrews <riandrews@...roid.com>
---
 drivers/android/binder.c | 128 ++++++++++++++++++++++++++++-------------------
 1 file changed, 77 insertions(+), 51 deletions(-)

diff --git a/drivers/android/binder.c b/drivers/android/binder.c
index a9a160a..407c1ee 100644
--- a/drivers/android/binder.c
+++ b/drivers/android/binder.c
@@ -1464,12 +1464,84 @@ err_fd_not_accepted:
 	return BR_FAILED_REPLY;
 }
 
+static int binder_transaction_buffer_acquire(
+	struct binder_transaction *t, struct binder_transaction_data *tr,
+	struct binder_thread *thread, struct binder_transaction *in_reply_to)
+{
+	struct binder_proc *proc = thread->proc;
+	binder_size_t *offp, *off_end, off_min;
+	struct flat_binder_object *fp;
+	uint32_t result;
+
+	if (!IS_ALIGNED(tr->offsets_size, sizeof(binder_size_t))) {
+		binder_user_error("%d:%d got transaction with invalid offsets size, %lld\n",
+				  proc->pid, thread->pid,
+				  (u64)tr->offsets_size);
+		return BR_FAILED_REPLY;
+	}
+
+	if (t->buffer->target_node)
+		binder_inc_node(t->buffer->target_node, 1, 0, NULL);
+
+	off_min = 0;
+	offp = (binder_size_t *)(t->buffer->data +
+				 ALIGN(tr->data_size, sizeof(void *)));
+	off_end = (void *)offp + tr->offsets_size;
+	for (; offp < off_end; offp++) {
+		if (*offp > t->buffer->data_size - sizeof(*fp) ||
+		    *offp < off_min ||
+		    t->buffer->data_size < sizeof(*fp) ||
+		    !IS_ALIGNED(*offp, sizeof(u32))) {
+			binder_user_error("%d:%d got transaction with invalid offset, %lld (min %lld, max %lld)\n",
+					  proc->pid, thread->pid, (u64)*offp,
+					  (u64)off_min,
+					  (u64)(t->buffer->data_size -
+					  sizeof(*fp)));
+			result = BR_FAILED_REPLY;
+			goto error;
+		}
+		fp = (struct flat_binder_object *)(t->buffer->data + *offp);
+		off_min = *offp + sizeof(struct flat_binder_object);
+		switch (fp->type) {
+		case BINDER_TYPE_BINDER:
+		case BINDER_TYPE_WEAK_BINDER:
+			result = binder_translate_object(fp, t, thread);
+			if (result != BR_OK)
+				goto error;
+			break;
+		case BINDER_TYPE_HANDLE:
+		case BINDER_TYPE_WEAK_HANDLE:
+			result = binder_translate_handle(fp, t, thread);
+			if (result != BR_OK)
+				goto error;
+			break;
+		case BINDER_TYPE_FD:
+			result = binder_translate_fd(fp, t, thread,
+						     in_reply_to);
+			if (result != BR_OK)
+				goto error;
+			break;
+		default:
+			binder_user_error("got transaction with invalid object type, %x\n",
+					  fp->type);
+			result = BR_FAILED_REPLY;
+			goto error;
+		}
+	}
+	return BR_OK;
+
+error:
+	trace_binder_transaction_failed_buffer_release(t->buffer);
+	binder_transaction_buffer_release(t->to_proc, t->buffer, offp);
+	return result;
+}
+
 static void binder_transaction(struct binder_thread *thread,
 			       struct binder_transaction_data *tr, int reply)
 {
 	struct binder_transaction *t;
 	struct binder_work *tcomplete;
-	binder_size_t *offp, *off_end;
+	binder_size_t *offp;
 	struct binder_proc *target_proc;
 	struct binder_thread *target_thread = NULL;
 	struct binder_node *target_node = NULL;
@@ -1645,8 +1717,6 @@ static void binder_transaction(struct binder_thread *thread,
 	t->buffer->transaction = t;
 	t->buffer->target_node = target_node;
 	trace_binder_transaction_alloc_buf(t->buffer);
-	if (target_node)
-		binder_inc_node(target_node, 1, 0, NULL);
 
 	offp = (binder_size_t *)(t->buffer->data +
 				 ALIGN(tr->data_size, sizeof(void *)));
@@ -1665,51 +1735,11 @@ static void binder_transaction(struct binder_thread *thread,
 		return_error = BR_FAILED_REPLY;
 		goto err_copy_data_failed;
 	}
-	if (!IS_ALIGNED(tr->offsets_size, sizeof(binder_size_t))) {
-		binder_user_error("%d:%d got transaction with invalid offsets size, %lld\n",
-				proc->pid, thread->pid, (u64)tr->offsets_size);
-		return_error = BR_FAILED_REPLY;
-		goto err_bad_offset;
-	}
-	off_end = (void *)offp + tr->offsets_size;
-	for (; offp < off_end; offp++) {
-		struct flat_binder_object *fp;
+	return_error = binder_transaction_buffer_acquire(t, tr, thread,
+							 in_reply_to);
+	if (return_error != BR_OK)
+		goto err_translate_failed;
 
-		if (*offp > t->buffer->data_size - sizeof(*fp) ||
-		    t->buffer->data_size < sizeof(*fp) ||
-		    !IS_ALIGNED(*offp, sizeof(u32))) {
-			binder_user_error("%d:%d got transaction with invalid offset, %lld\n",
-					  proc->pid, thread->pid, (u64)*offp);
-			return_error = BR_FAILED_REPLY;
-			goto err_bad_offset;
-		}
-		fp = (struct flat_binder_object *)(t->buffer->data + *offp);
-		switch (fp->type) {
-		case BINDER_TYPE_BINDER:
-		case BINDER_TYPE_WEAK_BINDER:
-			return_error = binder_translate_object(fp, t, thread);
-			if (return_error != BR_OK)
-				goto err_translate_failed;
-			break;
-		case BINDER_TYPE_HANDLE:
-		case BINDER_TYPE_WEAK_HANDLE:
-			return_error = binder_translate_handle(fp, t, thread);
-			if (return_error != BR_OK)
-				goto err_translate_failed;
-			break;
-		case BINDER_TYPE_FD:
-			return_error = binder_translate_fd(fp, t, thread,
-							   in_reply_to);
-			if (return_error != BR_OK)
-				goto err_translate_failed;
-			break;
-		default:
-			binder_user_error("%d:%d got transaction with invalid object type, %x\n",
-				proc->pid, thread->pid, fp->type);
-			return_error = BR_FAILED_REPLY;
-			goto err_bad_object_type;
-		}
-	}
 	if (reply) {
 		BUG_ON(t->buffer->async_transaction != 0);
 		binder_pop_transaction(target_thread, in_reply_to);
@@ -1736,11 +1766,7 @@ static void binder_transaction(struct binder_thread *thread,
 	return;
 
 err_translate_failed:
-err_bad_object_type:
-err_bad_offset:
 err_copy_data_failed:
-	trace_binder_transaction_failed_buffer_release(t->buffer);
-	binder_transaction_buffer_release(target_proc, t->buffer, offp);
 	t->buffer->transaction = NULL;
 	binder_free_buf(target_proc, t->buffer);
 err_binder_alloc_buf_failed:
-- 
2.2.0.rc0.207.ga3a616c

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ