lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Sun, 27 Mar 2022 13:18:17 +0200 From: Christophe JAILLET <christophe.jaillet@...adoo.fr> To: Greg Kroah-Hartman <gregkh@...uxfoundation.org>, Arve Hjønnevåg <arve@...roid.com>, Todd Kjos <tkjos@...roid.com>, Martijn Coenen <maco@...roid.com>, Joel Fernandes <joel@...lfernandes.org>, Christian Brauner <brauner@...nel.org>, Hridya Valsaraju <hridya@...gle.com>, Suren Baghdasaryan <surenb@...gle.com> Cc: linux-kernel@...r.kernel.org, kernel-janitors@...r.kernel.org, Christophe JAILLET <christophe.jaillet@...adoo.fr>, Todd Kjos <tkjos@...gle.com> Subject: [PATCH] binderfs: Fix the maximum minor value in binderfs_binder_device_create() and binderfs_binder_ctl_create() ida_alloc_max(..., max, ...) returns values from 0 to max, inclusive. So, BINDERFS_MAX_MINOR is a valid value for 'minor'. BINDERFS_MAX_MINOR is '1U << MINORBITS' and we have: #define MKDEV(ma,mi) (((ma) << MINORBITS) | (mi)) So, When this value is used in MKDEV() and it will overflow. Fixes: 3ad20fe393b3 ("binder: implement binderfs") Signed-off-by: Christophe JAILLET <christophe.jaillet@...adoo.fr> --- This patch is completely speculative. The 'BINDERFS_MAX_MINOR_CAPPED - 1' is here only for symmetry with the BINDERFS_MAX_MINOR case. I'm not sure at all that is is needed and, more importantly, that it is correct. --- drivers/android/binderfs.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/drivers/android/binderfs.c b/drivers/android/binderfs.c index e3605cdd4335..47df1f381150 100644 --- a/drivers/android/binderfs.c +++ b/drivers/android/binderfs.c @@ -130,8 +130,8 @@ static int binderfs_binder_device_create(struct inode *ref_inode, mutex_lock(&binderfs_minors_mutex); if (++info->device_count <= info->mount_opts.max) minor = ida_alloc_max(&binderfs_minors, - use_reserve ? BINDERFS_MAX_MINOR : - BINDERFS_MAX_MINOR_CAPPED, + use_reserve ? BINDERFS_MAX_MINOR - 1: + BINDERFS_MAX_MINOR_CAPPED - 1, GFP_KERNEL); else minor = -ENOSPC; @@ -433,8 +433,8 @@ static int binderfs_binder_ctl_create(struct super_block *sb) /* Reserve a new minor number for the new device. */ mutex_lock(&binderfs_minors_mutex); minor = ida_alloc_max(&binderfs_minors, - use_reserve ? BINDERFS_MAX_MINOR : - BINDERFS_MAX_MINOR_CAPPED, + use_reserve ? BINDERFS_MAX_MINOR - 1 : + BINDERFS_MAX_MINOR_CAPPED - 1, GFP_KERNEL); mutex_unlock(&binderfs_minors_mutex); if (minor < 0) { -- 2.32.0
Powered by blists - more mailing lists