| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 16 Nov 2017 12:37:02 -0800
From: Todd Kjos <tkjos@...roid.com>
To: Greg KH <gregkh@...uxfoundation.org>
Cc: Todd Kjos <tkjos@...gle.com>,
"Arve Hj??nnev??g" <arve@...roid.com>, devel@...verdev.osuosl.org,
LKML <linux-kernel@...r.kernel.org>,
Martijn Coenen <maco@...gle.com>
Subject: Re: [PATCH v2] binder: fix proc->files use-after-free
Sorry about that, do you want a v3 with correct annotations?
On Thu, Nov 16, 2017 at 12:27 PM, Greg KH <gregkh@...uxfoundation.org> wrote:
> On Thu, Nov 16, 2017 at 09:56:50AM -0800, Todd Kjos wrote:
>> proc->files cleanup is initiated by binder_vma_close. Therefore
>> a reference on the binder_proc is not enough to prevent the
>> files_struct from being released while the binder_proc still has
>> a reference. This can lead to an attempt to dereference the
>> stale pointer obtained from proc->files prior to proc->files
>> cleanup. This has been seen once in task_get_unused_fd_flags()
>> when __alloc_fd() is called with a stale "files".
>>
>> The fix is to always use get_files_struct() to obtain struct_files
>> so that the refcount on the files_struct is used to prevent
>> a premature free. proc->files is removed since we get it every
>> time.
>>
>> Signed-off-by: Todd Kjos <tkjos@...gle.com>
>> ---
>> drivers/android/binder.c | 63 +++++++++++++++++++++++-------------------------
>> 1 file changed, 30 insertions(+), 33 deletions(-)
>
> For a v2 patch (or v3 or whatever), you need to put below the --- line
> what changed from the previous version(s).
> Documentation/SubmittingPatches describes this pretty well :)
>
> thanks,
>
> greg k-h
Powered by blists - more mailing lists