[<prev] [next>] [day] [month] [year] [list]
Message-Id: <20180328091233.83914-1-maco@android.com>
Date: Wed, 28 Mar 2018 11:12:33 +0200
From: Martijn Coenen <maco@...roid.com>
To: gregkh@...uxfoundation.org, john.stultz@...aro.org,
tkjos@...gle.com, arve@...roid.com, amit.pundir@...aro.org
Cc: linux-kernel@...r.kernel.org, devel@...verdev.osuosl.org,
maco@...gle.com, Martijn Coenen <maco@...roid.com>
Subject: [v2] ANDROID: binder: prevent transactions into own process.
This can't happen with normal nodes (because you can't get a ref
to a node you own), but it could happen with the context manager;
to make the behavior consistent with regular nodes, reject
transactions into the context manager by the process owning it.
Reported-by: syzbot+09e05aba06723a94d43d@...kaller.appspotmail.com
Signed-off-by: Martijn Coenen <maco@...roid.com>
---
Changed in v2:
- Use target_proc directly to avoid dereference.
drivers/android/binder.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/drivers/android/binder.c b/drivers/android/binder.c
index 764b63a5aade..e578eee31589 100644
--- a/drivers/android/binder.c
+++ b/drivers/android/binder.c
@@ -2839,6 +2839,14 @@ static void binder_transaction(struct binder_proc *proc,
else
return_error = BR_DEAD_REPLY;
mutex_unlock(&context->context_mgr_node_lock);
+ if (target_node && target_proc == proc) {
+ binder_user_error("%d:%d got transaction to context manager from process owning it\n",
+ proc->pid, thread->pid);
+ return_error = BR_FAILED_REPLY;
+ return_error_param = -EINVAL;
+ return_error_line = __LINE__;
+ goto err_invalid_target_handle;
+ }
}
if (!target_node) {
/*
--
2.17.0.rc1.321.gba9d0f2565-goog
Powered by blists - more mailing lists