| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 14 Feb 2019 15:22:57 -0800
From: Todd Kjos <tkjos@...roid.com>
To: tkjos@...gle.com, gregkh@...uxfoundation.org, arve@...roid.com,
devel@...verdev.osuosl.org, linux-kernel@...r.kernel.org,
maco@...gle.com
Cc: joel@...lfernandes.org, kernel-team@...roid.com,
syzbot+55de1eb4975dec156d8f@...kaller.appspotmail.com
Subject: [PATCH] binder: fix handling of misaligned binder object
Fixes crash found by syzbot:
kernel BUG at drivers/android/binder_alloc.c:LINE! (2)
Reported-by: syzbot+55de1eb4975dec156d8f@...kaller.appspotmail.com
Signed-off-by: Todd Kjos <tkjos@...gle.com>
---
Applies to linux-next
drivers/android/binder.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/android/binder.c b/drivers/android/binder.c
index 2dba539eb792c..8685882da64cd 100644
--- a/drivers/android/binder.c
+++ b/drivers/android/binder.c
@@ -2057,7 +2057,7 @@ static size_t binder_get_object(struct binder_proc *proc,
size_t object_size = 0;
read_size = min_t(size_t, sizeof(*object), buffer->data_size - offset);
- if (read_size < sizeof(*hdr))
+ if (read_size < sizeof(*hdr) || !IS_ALIGNED(offset, sizeof(u32)))
return 0;
binder_alloc_copy_from_buffer(&proc->alloc, object, buffer,
offset, read_size);
--
2.21.0.rc0.258.g878e2cd30e-goog
Powered by blists - more mailing lists