lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Wed, 3 Aug 2022 09:29:24 +0200
From:   Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To:     Carlos Llamas <cmllamas@...gle.com>
Cc:     Arve Hjønnevåg <arve@...roid.com>,
        Todd Kjos <tkjos@...roid.com>,
        Martijn Coenen <maco@...roid.com>,
        Christian Brauner <brauner@...nel.org>,
        Joel Fernandes <joel@...lfernandes.org>,
        Suren Baghdasaryan <surenb@...gle.com>,
        kernel-team@...roid.com, linux-kernel@...r.kernel.org,
        stable@...r.kernel.org
Subject: Re: [PATCH] binder: fix UAF of ref->proc caused by race condition

On Tue, Aug 02, 2022 at 07:40:32PM +0000, Carlos Llamas wrote:
> On Mon, Aug 01, 2022 at 06:25:11PM +0000, Carlos Llamas wrote:
> > A transaction of type BINDER_TYPE_WEAK_HANDLE can fail to increment the
> > reference for a node. In this case, the target proc normally releases
> > the failed reference upon close as expected. However, if the target is
> > dying in parallel the call will race with binder_deferred_release(), so
> > the target could have released all of its references by now leaving the
> > cleanup of the new failed reference unhandled.
> > 
> > The transaction then ends and the target proc gets released making the
> > ref->proc now a dangling pointer. Later on, ref->node is closed and we
> > attempt to take spin_lock(&ref->proc->inner_lock), which leads to the
> > use-after-free bug reported below. Let's fix this by cleaning up the
> > failed reference on the spot instead of relying on the target to do so.
> > 
> >   ==================================================================
> >   BUG: KASAN: use-after-free in _raw_spin_lock+0xa8/0x150
> >   Write of size 4 at addr ffff5ca207094238 by task kworker/1:0/590
> > 
> >   CPU: 1 PID: 590 Comm: kworker/1:0 Not tainted 5.19.0-rc8 #10
> >   Hardware name: linux,dummy-virt (DT)
> >   Workqueue: events binder_deferred_func
> >   Call trace:
> >    dump_backtrace.part.0+0x1d0/0x1e0
> >    show_stack+0x18/0x70
> >    dump_stack_lvl+0x68/0x84
> >    print_report+0x2e4/0x61c
> >    kasan_report+0xa4/0x110
> >    kasan_check_range+0xfc/0x1a4
> >    __kasan_check_write+0x3c/0x50
> >    _raw_spin_lock+0xa8/0x150
> >    binder_deferred_func+0x5e0/0x9b0
> >    process_one_work+0x38c/0x5f0
> >    worker_thread+0x9c/0x694
> >    kthread+0x188/0x190
> >    ret_from_fork+0x10/0x20
> > 
> > Signed-off-by: Carlos Llamas <cmllamas@...gle.com>
> > ---
> >  drivers/android/binder.c | 12 ++++++++++++
> >  1 file changed, 12 insertions(+)
> > 
> > diff --git a/drivers/android/binder.c b/drivers/android/binder.c
> > index 362c0deb65f1..9d42afe60180 100644
> > --- a/drivers/android/binder.c
> > +++ b/drivers/android/binder.c
> > @@ -1361,6 +1361,18 @@ static int binder_inc_ref_for_node(struct binder_proc *proc,
> >  	}
> >  	ret = binder_inc_ref_olocked(ref, strong, target_list);
> >  	*rdata = ref->data;
> > +	if (ret && ref == new_ref) {
> > +		/*
> > +		 * Cleanup the failed reference here as the target
> > +		 * could now be dead and have already released its
> > +		 * references by now. Calling on the new reference
> > +		 * with strong=0 and a tmp_refs will not decrement
> > +		 * the node. The new_ref gets kfree'd below.
> > +		 */
> > +		binder_cleanup_ref_olocked(new_ref);
> > +		ref = NULL;
> > +	}
> > +
> >  	binder_proc_unlock(proc);
> >  	if (new_ref && ref != new_ref)
> >  		/*
> > -- 
> > 2.37.1.455.g008518b4e5-goog
> > 
> 
> Sorry, I forgot to CC stable. This patch should be applied to all stable
> kernels starting with 4.14 and higher.
> 
> Cc: stable@...r.kernel.org # 4.14+

Thanks, I'll add this when I queue it up after 5.20-rc1 is out.

greg k-h

Powered by blists - more mailing lists