Commit 4be5a281 authored Jan 30, 2018 by Eric Biggers Committed by Greg Kroah-Hartman Feb 25, 2018

binder: check for binder_thread allocation failure in binder_poll()



commit f88982679f54f75daa5b8eff3da72508f1e7422f upstream.

If the kzalloc() in binder_get_thread() fails, binder_poll()
dereferences the resulting NULL pointer.

Fix it by returning POLLERR if the memory allocation failed.

This bug was found by syzkaller using fault injection.

Reported-by: syzbot <syzkaller@googlegroups.com>
Fixes: 457b9a6f ("Staging: android: add binder driver")
Cc: stable@vger.kernel.org
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

parent 2dfe49da

drivers/android/binder.c

+2 −0

Original line number	Diff line number	Diff line
		@@ -2628,6 +2628,8 @@ static unsigned int binder_poll(struct file *filp,
		binder_lock(__func__);

		thread = binder_get_thread(proc);
		if (!thread)
		return POLLERR;

		wait_for_proc_work = thread->transaction_stack == NULL &&
		list_empty(&thread->todo) && thread->return_error == BR_OK;