| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20260206085336.32819-4-jongan.kim@lge.com>
Date: Fri, 6 Feb 2026 17:53:36 +0900
From: jongan.kim@....com
To: aliceryhl@...gle.com,
a.hindborg@...nel.org,
arve@...roid.com,
bjorn3_gh@...tonmail.com,
boqun.feng@...il.com,
brauner@...nel.org,
cmllamas@...gle.com,
dakr@...nel.org,
daniel.almeida@...labora.com,
gary@...yguo.net,
gregkh@...uxfoundation.org,
tamird@...il.com,
tkjos@...roid.com,
tmgross@...ch.edu,
viresh.kumar@...aro.org,
vitaly.wool@...sulko.se,
yury.norov@...il.com,
ojeda@...nel.org,
lossin@...nel.org
Cc: heesu0025.kim@....com,
ht.hong@....com,
jongan.kim@....com,
jungsu.hwang@....com,
kernel-team@...roid.com,
linux-kernel@...r.kernel.org,
rust-for-linux@...r.kernel.org,
sanghun.lee@....com,
seulgi.lee@....com,
sunghoon.kim@....com
Subject: [PATCH v4 3/3] rust_binder: fix PID namespace collision for freeze operation
From: HeeSu Kim <heesu0025.kim@....com>
Port PID namespace conversion logic from C binder to the Rust
implementation.
Without namespace conversion, freeze operations from non-init namespaces
can match wrong processes due to PID collision. This adds proper
conversion to ensure freeze operations target the correct process.
This patch fixes the issue by:
- Add get_task_from_vpid() to translate VPID to Task reference
- Add Context::get_procs_with_task() for Task-based process lookup
using &mut KVec parameter to avoid intermediate allocations
- Update get_frozen_status() and ioctl_freeze() to use Task comparison
Suggested-by: Gary Guo <gary@...yguo.net>
Link: https://lore.kernel.org/rust-for-linux/DG5CFX3ML5YL.2FE913F20LNPT@garyguo.net/
Suggested-by: Alice Ryhl <aliceryhl@...gle.com>
Link: https://lore.kernel.org/lkml/aXs5Y3xAFKyZr6nd@google.com/
Signed-off-by: Heesu Kim <heesu0025.kim@....com>
---
v3 -> v4
- change subject name more clearly
- Use Task pointer comparison instead of PID number comparison
- Remove PidNamespace dependency entirely
- Use &mut KVec parameter to avoid intermediate allocation
- Merge context.rs and process.rs changes into single patch
v2 -> v3:
- Use task::Pid typedef instead of u32/i32
- Use PidNamespace::init_ns() instead of init_pid_ns()
- Compare PidNamespace directly with == instead of raw pointers
- Use Pid::find_vpid() and pid.pid_task() (dropped _with_guard suffix)
- Fix rustfmt import ordering (rcu before Arc)
- Rename TaskPid alias to PidT for clearer pid_t type indication
- Use task.group_leader().pid() instead of tgid_nr_ns() for consistency with C
drivers/android/binder/context.rs | 16 +++++++++++++++-
drivers/android/binder/process.rs | 25 +++++++++++++++++++------
2 files changed, 34 insertions(+), 7 deletions(-)
diff --git a/drivers/android/binder/context.rs b/drivers/android/binder/context.rs
index 3d135ec03ca7..1fc779e4d9ce 100644
--- a/drivers/android/binder/context.rs
+++ b/drivers/android/binder/context.rs
@@ -9,7 +9,7 @@
security,
str::{CStr, CString},
sync::{Arc, Mutex},
- task::Kuid,
+ task::{Kuid, Task},
};
use crate::{error::BinderError, node::NodeRef, process::Process};
@@ -177,4 +177,18 @@ pub(crate) fn get_procs_with_pid(&self, pid: i32) -> Result<KVec<Arc<Process>>>
}
Ok(backing)
}
+
+ pub(crate) fn get_procs_with_task(
+ &self,
+ target: &Task,
+ out: &mut KVec<Arc<Process>>,
+ ) -> Result {
+ let lock = self.manager.lock();
+ for proc in &lock.all_procs {
+ if core::ptr::eq(&*proc.task, target) {
+ out.push(Arc::from(proc), GFP_KERNEL)?;
+ }
+ }
+ Ok(())
+ }
}
diff --git a/drivers/android/binder/process.rs b/drivers/android/binder/process.rs
index 132055b4790f..58e816f8873f 100644
--- a/drivers/android/binder/process.rs
+++ b/drivers/android/binder/process.rs
@@ -22,6 +22,7 @@
id_pool::IdPool,
list::{List, ListArc, ListArcField, ListLinks},
mm,
+ pid::Pid,
prelude::*,
rbtree::{self, RBTree, RBTreeNode, RBTreeNodeReservation},
seq_file::SeqFile,
@@ -29,9 +30,9 @@
sync::poll::PollTable,
sync::{
lock::{spinlock::SpinLockBackend, Guard},
- Arc, ArcBorrow, CondVar, CondVarTimeoutResult, Mutex, SpinLock, UniqueArc,
+ rcu, Arc, ArcBorrow, CondVar, CondVarTimeoutResult, Mutex, SpinLock, UniqueArc,
},
- task::Task,
+ task::{Pid as PidT, Task},
types::ARef,
uaccess::{UserSlice, UserSliceReader},
uapi,
@@ -1498,17 +1499,29 @@ pub(crate) fn ioctl_freeze(&self, info: &BinderFreezeInfo) -> Result {
}
}
+/// Get Task reference from VPID with refcount increment.
+fn get_task_from_vpid(pid: PidT) -> Result<ARef<Task>> {
+ let rcu_guard = rcu::read_lock();
+ let pid_struct = Pid::find_vpid(pid, &rcu_guard).ok_or(ESRCH)?;
+ let task = pid_struct.pid_task(&rcu_guard).ok_or(ESRCH)?;
+
+ Ok(ARef::from(task))
+}
+
fn get_frozen_status(data: UserSlice) -> Result {
let (mut reader, mut writer) = data.reader_writer();
let mut info = reader.read::<BinderFrozenStatusInfo>()?;
+
+ let target_task = get_task_from_vpid(info.pid as PidT)?;
+
info.sync_recv = 0;
info.async_recv = 0;
let mut found = false;
for ctx in crate::context::get_all_contexts()? {
ctx.for_each_proc(|proc| {
- if proc.task.pid() == info.pid as _ {
+ if core::ptr::eq(&*proc.task, &*target_task) {
found = true;
let inner = proc.inner.lock();
let txns_pending = inner.txns_pending_locked();
@@ -1530,15 +1543,15 @@ fn get_frozen_status(data: UserSlice) -> Result {
fn ioctl_freeze(reader: &mut UserSliceReader) -> Result {
let info = reader.read::<BinderFreezeInfo>()?;
+ let target_task = get_task_from_vpid(info.pid as PidT)?;
+
// Very unlikely for there to be more than 3, since a process normally uses at most binder and
// hwbinder.
let mut procs = KVec::with_capacity(3, GFP_KERNEL)?;
let ctxs = crate::context::get_all_contexts()?;
for ctx in ctxs {
- for proc in ctx.get_procs_with_pid(info.pid as i32)? {
- procs.push(proc, GFP_KERNEL)?;
- }
+ ctx.get_procs_with_task(&target_task, &mut procs)?;
}
for proc in procs {
--
2.25.1
Powered by blists - more mailing lists