lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <CAKUd0B-9ifaMBAxhaUZjppks8PCy4oCy=erRNnPBjrRxOGKUxQ@mail.gmail.com>
Date:   Wed, 6 Oct 2021 16:28:23 -0700
From:   Ramji Jiyani <ramjiyani@...gle.com>
To:     Eric Biggers <ebiggers@...nel.org>
Cc:     arnd@...db.de, viro@...iv.linux.org.uk, bcrl@...ck.org, hch@....de,
        kernel-team@...roid.com, linux-aio@...ck.org,
        linux-arch@...r.kernel.org, linux-fsdevel@...r.kernel.org,
        linux-kernel@...r.kernel.org, oleg@...hat.com,
        Jeff Moyer <jmoyer@...hat.com>, stable@...r.kernel.org
Subject: Re: [PATCH v3] aio: Add support for the POLLFREE

On Wed, Oct 6, 2021 at 3:48 PM Eric Biggers <ebiggers@...nel.org> wrote:
>
> On Wed, Oct 06, 2021 at 10:43:11PM +0000, Ramji Jiyani wrote:
> > Fixes: f5cb779ba163 ("ANDROID: binder: remove waitqueue when thread exits.")
> > Signed-off-by: Ramji Jiyani <ramjiyani@...gle.com>
> > Reviewed-by: Jeff Moyer <jmoyer@...hat.com>
> > Cc: stable@...r.kernel.org # 4.19+
>
> The commit that this claims to be fixing is in linux-4.4.y, so either the fixes
> tag is wrong or the Cc stable tag is wrong.  It's important to provide correct
> information here for backporting purposes, so please do so.
>

Stable tag is correct; Fixes tag in this case is tricky.

In 4.4 only way to poll binder file was via eventpoll and since binder wasn't
flagging the POLLFREE before thread exit there was an UAF. Which got fixed
by the commit currently Fixes tag is referring.

Later, aio got enhanced by adding a polling feature in 4.19 [1].
That introduced one more way to poll binder files; but it did not include
support for POLLFREE, so UAF exists.

Should the Fixes tag refer to Commit bfe4037e722e ("aio: implement
IOCB_CMD_POLL") [2] in this case?

[1] https://lore.kernel.org/lkml/20180110155853.32348-32-hch@lst.de/
[2] https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/fs/aio.c?h=v4.19.209&id=bfe4037e722ec672c9dafd5730d9132afeeb76e9

> - Eric

~ Ramji

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ