| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sun, 27 Mar 2022 13:18:17 +0200
From: Christophe JAILLET <christophe.jaillet@...adoo.fr>
To: Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
Arve Hjønnevåg <arve@...roid.com>,
Todd Kjos <tkjos@...roid.com>,
Martijn Coenen <maco@...roid.com>,
Joel Fernandes <joel@...lfernandes.org>,
Christian Brauner <brauner@...nel.org>,
Hridya Valsaraju <hridya@...gle.com>,
Suren Baghdasaryan <surenb@...gle.com>
Cc: linux-kernel@...r.kernel.org, kernel-janitors@...r.kernel.org,
Christophe JAILLET <christophe.jaillet@...adoo.fr>,
Todd Kjos <tkjos@...gle.com>
Subject: [PATCH] binderfs: Fix the maximum minor value in binderfs_binder_device_create() and binderfs_binder_ctl_create()
ida_alloc_max(..., max, ...) returns values from 0 to max, inclusive.
So, BINDERFS_MAX_MINOR is a valid value for 'minor'.
BINDERFS_MAX_MINOR is '1U << MINORBITS' and we have:
#define MKDEV(ma,mi) (((ma) << MINORBITS) | (mi))
So, When this value is used in MKDEV() and it will overflow.
Fixes: 3ad20fe393b3 ("binder: implement binderfs")
Signed-off-by: Christophe JAILLET <christophe.jaillet@...adoo.fr>
---
This patch is completely speculative.
The 'BINDERFS_MAX_MINOR_CAPPED - 1' is here only for symmetry with the
BINDERFS_MAX_MINOR case. I'm not sure at all that is is needed and, more
importantly, that it is correct.
---
drivers/android/binderfs.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/drivers/android/binderfs.c b/drivers/android/binderfs.c
index e3605cdd4335..47df1f381150 100644
--- a/drivers/android/binderfs.c
+++ b/drivers/android/binderfs.c
@@ -130,8 +130,8 @@ static int binderfs_binder_device_create(struct inode *ref_inode,
mutex_lock(&binderfs_minors_mutex);
if (++info->device_count <= info->mount_opts.max)
minor = ida_alloc_max(&binderfs_minors,
- use_reserve ? BINDERFS_MAX_MINOR :
- BINDERFS_MAX_MINOR_CAPPED,
+ use_reserve ? BINDERFS_MAX_MINOR - 1:
+ BINDERFS_MAX_MINOR_CAPPED - 1,
GFP_KERNEL);
else
minor = -ENOSPC;
@@ -433,8 +433,8 @@ static int binderfs_binder_ctl_create(struct super_block *sb)
/* Reserve a new minor number for the new device. */
mutex_lock(&binderfs_minors_mutex);
minor = ida_alloc_max(&binderfs_minors,
- use_reserve ? BINDERFS_MAX_MINOR :
- BINDERFS_MAX_MINOR_CAPPED,
+ use_reserve ? BINDERFS_MAX_MINOR - 1 :
+ BINDERFS_MAX_MINOR_CAPPED - 1,
GFP_KERNEL);
mutex_unlock(&binderfs_minors_mutex);
if (minor < 0) {
--
2.32.0
Powered by blists - more mailing lists