lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <aXJjBRbZw3xkIvhz@google.com>
Date: Thu, 22 Jan 2026 17:48:53 +0000
From: Carlos Llamas <cmllamas@...gle.com>
To: Alice Ryhl <aliceryhl@...gle.com>
Cc: Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
	Arve Hjønnevåg <arve@...roid.com>,
	Todd Kjos <tkjos@...roid.com>,
	Christian Brauner <brauner@...nel.org>, Li Li <dualli@...gle.com>,
	kernel-team@...roid.com, linux-kernel@...r.kernel.org,
	stable@...r.kernel.org
Subject: Re: [PATCH] binder: fix UAF in binder_netlink_report()

On Thu, Jan 22, 2026 at 08:27:13AM +0000, Alice Ryhl wrote:
> On Wed, Jan 21, 2026 at 04:56:25PM +0000, Carlos Llamas wrote:
> > On Wed, Jan 21, 2026 at 03:24:06PM +0000, Alice Ryhl wrote:
> > > 
> > > Erm, this solution seems dangerous to me. You access t->to_proc and
> > > t->to_thread inside binder_netlink_report(), and if t has been freed,
> > > could the same apply to t->to_proc or t->to_thread?
> > > 
> > > After looking a bit more: I can see now that you do call
> > > 
> > > 	if (target_thread)
> > > 		binder_thread_dec_tmpref(target_thread);
> > > 	binder_proc_dec_tmpref(target_proc);
> > > 	if (target_node)
> > > 		binder_dec_node_tmpref(target_node);
> > > 
> > > after this ... so I guess it can't go wrong in this particular way.
> > 
> > Right, the access to the target is safe because of the tmprefs just like
> > the rest of the transaction().
> > 
> > > But I'm concerned that we will add fields in the future where this is
> > > not the case. For example, let's say that tomorrow I want to include
> > > t->buffer->clear_on_free in the printed data. If the transaction is
> > > freed, then t->buffer might also be freed.
> > 
> > You actually can't access t->buffer already, there are scenarios where
> > the t->buffer is released before calling binder_netlink_report().
> 
> Hmm, I suppose you are right. It may be worth mentioning that you can't
> access t->buffer in a comment inside netlink_report?

ok, that is a good idea. I'll send a v2.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ