| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 13 Oct 2020 22:08:23 +0200
From: Christian Brauner <christian.brauner@...ntu.com>
To: Todd Kjos <tkjos@...gle.com>
Cc: gregkh@...uxfoundation.org, christian@...uner.io, arve@...roid.com,
devel@...verdev.osuosl.org, linux-kernel@...r.kernel.org,
maco@...gle.com, joel@...lfernandes.org, kernel-team@...roid.com
Subject: Re: [PATCH] binder: fix UAF when releasing todo list
On Fri, Oct 09, 2020 at 04:24:55PM -0700, Todd Kjos wrote:
> When releasing a thread todo list when tearing down
> a binder_proc, the following race was possible which
> could result in a use-after-free:
>
> 1. Thread 1: enter binder_release_work from binder_thread_release
> 2. Thread 2: binder_update_ref_for_handle() -> binder_dec_node_ilocked()
> 3. Thread 2: dec nodeA --> 0 (will free node)
> 4. Thread 1: ACQ inner_proc_lock
> 5. Thread 2: block on inner_proc_lock
> 6. Thread 1: dequeue work (BINDER_WORK_NODE, part of nodeA)
> 7. Thread 1: REL inner_proc_lock
> 8. Thread 2: ACQ inner_proc_lock
> 9. Thread 2: todo list cleanup, but work was already dequeued
> 10. Thread 2: free node
> 11. Thread 2: REL inner_proc_lock
> 12. Thread 1: deref w->type (UAF)
>
> The problem was that for a BINDER_WORK_NODE, the binder_work element
> must not be accessed after releasing the inner_proc_lock while
> processing the todo list elements since another thread might be
> handling a deref on the node containing the binder_work element
> leading to the node being freed.
>
> Signed-off-by: Todd Kjos <tkjos@...gle.com>
> ---
Thanks!
Acked-by: Christian Brauner <christian.brauner@...ntu.com>
Powered by blists - more mailing lists