Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Skip to content
Commit 4f3d133c authored by Todd Kjos's avatar Todd Kjos Committed by Kyle Yan
Browse files

FROMLIST: binder: fix use-after-free in binder_transaction() 

(from https://patchwork.kernel.org/patch/9978801/

)

User-space normally keeps the node alive when creating a transaction
since it has a reference to the target. The local strong ref keeps it
alive if the sending process dies before the target process processes
the transaction. If the source process is malicious or has a reference
counting bug, this can fail.

In this case, when we attempt to decrement the node in the failure
path, the node has already been freed.

This is fixed by taking a tmpref on the node while constructing
the transaction. To avoid re-acquiring the node lock and inner
proc lock to increment the proc's tmpref, a helper is used that
does the ref increments on both the node and proc.

Bug: 66899329
Change-Id: Iad40e1e0bccee88234900494fb52a510a37fe8d7
Signed-off-by: default avatarTodd Kjos <tkjos@google.com>
Git-commit: 291d9682
Git-repo: https://android.googlesource.com/kernel/common


Signed-off-by: default avatarKyle Yan <kyan@codeaurora.org>
parent 51c75b62
Show whitespace changes
Inline Side-by-side
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment