linux-kernel - Re: [PATCH] binder: check offset alignment in binder_get

lists.openwall.net		lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC
Open Source and information security mailing list archives

Hash Suite: Windows password security audit tool. GUI, reports in PDF.

[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]

Message-ID: <CAHRSSExq7UkD1D4Q632hf0a6f=jB1O2zhUrrgY6tudtxnynU5g@mail.gmail.com>
Date: Mon, 1 Apr 2024 08:38:20 -0700
From: Todd Kjos <tkjos@...gle.com>
To: Carlos Llamas <cmllamas@...gle.com>
Cc: Greg Kroah-Hartman <gregkh@...uxfoundation.org>, Arve Hjønnevåg <arve@...roid.com>, 
	Todd Kjos <tkjos@...roid.com>, Martijn Coenen <maco@...roid.com>, 
	Joel Fernandes <joel@...lfernandes.org>, Christian Brauner <brauner@...nel.org>, 
	Suren Baghdasaryan <surenb@...gle.com>, linux-kernel@...r.kernel.org, kernel-team@...roid.com, 
	Alice Ryhl <aliceryhl@...gle.com>, stable@...r.kernel.org
Subject: Re: [PATCH] binder: check offset alignment in binder_get_object()

On Sat, Mar 30, 2024 at 12:01 PM Carlos Llamas <cmllamas@...gle.com> wrote:
>
> Commit 6d98eb95b450 ("binder: avoid potential data leakage when copying
> txn") introduced changes to how binder objects are copied. In doing so,
> it unintentionally removed an offset alignment check done through calls
> to binder_alloc_copy_from_buffer() -> check_buffer().
>
> These calls were replaced in binder_get_object() with copy_from_user(),
> so now an explicit offset alignment check is needed here. This avoids
> later complications when unwinding the objects gets harder.
>
> It is worth noting this check existed prior to commit 7a67a39320df
> ("binder: add function to copy binder object from buffer"), likely
> removed due to redundancy at the time.
>
> Fixes: 6d98eb95b450 ("binder: avoid potential data leakage when copying txn")
> Cc: stable@...r.kernel.org
> Signed-off-by: Carlos Llamas <cmllamas@...gle.com>

Acked-by: Todd Kjos <tkjos@...gle.com>

> ---
>  drivers/android/binder.c | 4 +++-
>  1 file changed, 3 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/android/binder.c b/drivers/android/binder.c
> index bad28cf42010..dd6923d37931 100644
> --- a/drivers/android/binder.c
> +++ b/drivers/android/binder.c
> @@ -1708,8 +1708,10 @@ static size_t binder_get_object(struct binder_proc *proc,
>         size_t object_size = 0;
>
>         read_size = min_t(size_t, sizeof(*object), buffer->data_size - offset);
> -       if (offset > buffer->data_size || read_size < sizeof(*hdr))
> +       if (offset > buffer->data_size || read_size < sizeof(*hdr) ||
> +           !IS_ALIGNED(offset, sizeof(u32)))
>                 return 0;
> +
>         if (u) {
>                 if (copy_from_user(object, u + offset, read_size))
>                         return 0;
> --
> 2.44.0.478.gd926399ef9-goog
>