lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-Id: <20260206085336.32819-2-jongan.kim@lge.com>
Date: Fri,  6 Feb 2026 17:53:34 +0900
From: jongan.kim@....com
To: aliceryhl@...gle.com,
	a.hindborg@...nel.org,
	arve@...roid.com,
	bjorn3_gh@...tonmail.com,
	boqun.feng@...il.com,
	brauner@...nel.org,
	cmllamas@...gle.com,
	dakr@...nel.org,
	daniel.almeida@...labora.com,
	gary@...yguo.net,
	gregkh@...uxfoundation.org,
	tamird@...il.com,
	tkjos@...roid.com,
	tmgross@...ch.edu,
	viresh.kumar@...aro.org,
	vitaly.wool@...sulko.se,
	yury.norov@...il.com,
	ojeda@...nel.org,
	lossin@...nel.org
Cc: heesu0025.kim@....com,
	ht.hong@....com,
	jongan.kim@....com,
	jungsu.hwang@....com,
	kernel-team@...roid.com,
	linux-kernel@...r.kernel.org,
	rust-for-linux@...r.kernel.org,
	sanghun.lee@....com,
	seulgi.lee@....com,
	sunghoon.kim@....com
Subject: [PATCH v4 1/3] binder: fix PID namespace collision for freeze operation

From: JongAn Kim <jongan.kim@....com>

Currently, when a freeze is attempted from a non-init PID namespace,
there is a possibility that the wrong process in the init namespace
may be frozen due to PID collision across namespaces.

For example, if a container with PID namespace has a process with
PID 100 (which maps to PID 5000 in init namespace), attempting to
freeze PID 100 from the container could incorrectly match a different
process with PID 100 in the init namespace.

This patch fixes the issue by:
1. Using find_get_task_by_vpid() to get task_struct from caller's namespace
2. Comparing task_struct pointers directly instead of PID values
3. This ensures we match the exact task regardless of PID namespace

This change ensures correct PID handling when binder freeze occurs in
non-init PID namespace.

Suggested-by: Alice Ryhl <aliceryhl@...gle.com>
Link: https://lore.kernel.org/lkml/aXs5Y3xAFKyZr6nd@google.com/
Signed-off-by: JongAn Kim <jongan.kim@....com>
---
v3 -> v4 :
- change subject name more clearly
- comapre task_struct pointers directly instead of PID

v2 -> v3 : change to use task->tgid instead of task_tgid_nr_ns()

 drivers/android/binder.c | 22 +++++++++++++++++++---
 1 file changed, 19 insertions(+), 3 deletions(-)

diff --git a/drivers/android/binder.c b/drivers/android/binder.c
index 535fc881c8da..6d68f98a18db 100644
--- a/drivers/android/binder.c
+++ b/drivers/android/binder.c
@@ -5717,13 +5717,18 @@ static int binder_ioctl_get_freezer_info(
 	struct binder_proc *target_proc;
 	bool found = false;
 	__u32 txns_pending;
+	struct task_struct *task;
 
 	info->sync_recv = 0;
 	info->async_recv = 0;
 
+	task = find_get_task_by_vpid(info->pid);
+	if (!task)
+		return -ESRCH;
+
 	mutex_lock(&binder_procs_lock);
 	hlist_for_each_entry(target_proc, &binder_procs, proc_node) {
-		if (target_proc->pid == info->pid) {
+		if (target_proc->tsk == task) {
 			found = true;
 			binder_inner_proc_lock(target_proc);
 			txns_pending = binder_txns_pending_ilocked(target_proc);
@@ -5734,6 +5739,7 @@ static int binder_ioctl_get_freezer_info(
 		}
 	}
 	mutex_unlock(&binder_procs_lock);
+	put_task_struct(task);
 
 	if (!found)
 		return -EINVAL;
@@ -5869,6 +5875,7 @@ static long binder_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
 		struct binder_freeze_info info;
 		struct binder_proc **target_procs = NULL, *target_proc;
 		int target_procs_count = 0, i = 0;
+		struct task_struct *task;
 
 		ret = 0;
 
@@ -5877,14 +5884,21 @@ static long binder_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
 			goto err;
 		}
 
+		task = find_get_task_by_vpid(info.pid);
+		if (!task) {
+			ret = -ESRCH;
+			goto err;
+		}
+
 		mutex_lock(&binder_procs_lock);
 		hlist_for_each_entry(target_proc, &binder_procs, proc_node) {
-			if (target_proc->pid == info.pid)
+			if (target_proc->tsk == task)
 				target_procs_count++;
 		}
 
 		if (target_procs_count == 0) {
 			mutex_unlock(&binder_procs_lock);
+			put_task_struct(task);
 			ret = -EINVAL;
 			goto err;
 		}
@@ -5895,12 +5909,13 @@ static long binder_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
 
 		if (!target_procs) {
 			mutex_unlock(&binder_procs_lock);
+			put_task_struct(task);
 			ret = -ENOMEM;
 			goto err;
 		}
 
 		hlist_for_each_entry(target_proc, &binder_procs, proc_node) {
-			if (target_proc->pid != info.pid)
+			if (target_proc->tsk != task)
 				continue;
 
 			binder_inner_proc_lock(target_proc);
@@ -5910,6 +5925,7 @@ static long binder_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
 			target_procs[i++] = target_proc;
 		}
 		mutex_unlock(&binder_procs_lock);
+		put_task_struct(task);
 
 		for (i = 0; i < target_procs_count; i++) {
 			if (ret >= 0)
-- 
2.25.1

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ