Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit fbb4339c authored by Todd Kjos's avatar Todd Kjos Committed by Martijn Coenen
Browse files

UPSTREAM: binder: fix proc->files use-after-free 



proc->files cleanup is initiated by binder_vma_close. Therefore
a reference on the binder_proc is not enough to prevent the
files_struct from being released while the binder_proc still has
a reference. This can lead to an attempt to dereference the
stale pointer obtained from proc->files prior to proc->files
cleanup. This has been seen once in task_get_unused_fd_flags()
when __alloc_fd() is called with a stale "files".

The fix is to protect proc->files with a mutex to prevent cleanup
while in use.

Signed-off-by: default avatarTodd Kjos <tkjos@google.com>
Cc: stable <stable@vger.kernel.org> # 4.14
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
(cherry picked from commit 7f3dc0088b98533f17128058fac73cd8b2752ef1)

Change-Id: I40982bb0b4615bda5459538c20eb2a913964042c
parent 6f7e5f90

drivers/android/binder.c

+31 −13
Original line number Diff line number Diff line
@@ -501,7 +501,8 @@ struct binder_priority { 
 * @tsk                   task_struct for group_leader of process

 *                        (invariant after initialized)

 * @files                 files_struct for process

 *                        (invariant after initialized)

 *                        (protected by @files_lock)

 * @files_lock            mutex to protect @files

 * @deferred_work_node:   element for binder_deferred_list

 *                        (protected by binder_deferred_lock)

 * @deferred_work:        bitmap of deferred work to perform
@@ -547,6 +548,7 @@ struct binder_proc { 
	int pid;

	struct task_struct *tsk;

	struct files_struct *files;

	struct mutex files_lock;

	struct hlist_node deferred_work_node;

	int deferred_work;

	bool is_dead;
@@ -943,20 +945,26 @@ static void binder_inc_node_tmpref_ilocked(struct binder_node *node); 


static int task_get_unused_fd_flags(struct binder_proc *proc, int flags)

{

	struct files_struct *files = proc->files;

	unsigned long rlim_cur;

	unsigned long irqs;

	int ret;



	if (files == NULL)

		return -ESRCH;



	if (!lock_task_sighand(proc->tsk, &irqs))

		return -EMFILE;



	mutex_lock(&proc->files_lock);

	if (proc->files == NULL) {

		ret = -ESRCH;

		goto err;

	}

	if (!lock_task_sighand(proc->tsk, &irqs)) {

		ret = -EMFILE;

		goto err;

	}

	rlim_cur = task_rlimit(proc->tsk, RLIMIT_NOFILE);

	unlock_task_sighand(proc->tsk, &irqs);



	return __alloc_fd(files, 0, rlim_cur, flags);

	ret = __alloc_fd(proc->files, 0, rlim_cur, flags);

err:

	mutex_unlock(&proc->files_lock);

	return ret;

}



/*
@@ -965,8 +973,10 @@ static int task_get_unused_fd_flags(struct binder_proc *proc, int flags) 
static void task_fd_install(

	struct binder_proc *proc, unsigned int fd, struct file *file)

{

	mutex_lock(&proc->files_lock);

	if (proc->files)

		__fd_install(proc->files, fd, file);

	mutex_unlock(&proc->files_lock);

}



/*
@@ -976,9 +986,11 @@ static long task_close_fd(struct binder_proc *proc, unsigned int fd) 
{

	int retval;



	if (proc->files == NULL)

		return -ESRCH;



	mutex_lock(&proc->files_lock);

	if (proc->files == NULL) {

		retval = -ESRCH;

		goto err;

	}

	retval = __close_fd(proc->files, fd);

	/* can't restart close syscall because file table entry was cleared */

	if (unlikely(retval == -ERESTARTSYS ||
@@ -986,7 +998,8 @@ static long task_close_fd(struct binder_proc *proc, unsigned int fd) 
		     retval == -ERESTARTNOHAND ||

		     retval == -ERESTART_RESTARTBLOCK))

		retval = -EINTR;



err:

	mutex_unlock(&proc->files_lock);

	return retval;

}
@@ -4894,7 +4907,9 @@ static int binder_mmap(struct file *filp, struct vm_area_struct *vma) 
	ret = binder_alloc_mmap_handler(&proc->alloc, vma);

	if (ret)

		return ret;

	mutex_lock(&proc->files_lock);

	proc->files = get_files_struct(current);

	mutex_unlock(&proc->files_lock);

	return 0;



err_bad_arg:
@@ -4918,6 +4933,7 @@ static int binder_open(struct inode *nodp, struct file *filp) 
	spin_lock_init(&proc->outer_lock);

	get_task_struct(current->group_leader);

	proc->tsk = current->group_leader;

	mutex_init(&proc->files_lock);

	INIT_LIST_HEAD(&proc->todo);

	if (binder_supported_policy(current->policy)) {

		proc->default_priority.sched_policy = current->policy;
@@ -5177,9 +5193,11 @@ static void binder_deferred_func(struct work_struct *work) 


		files = NULL;

		if (defer & BINDER_DEFERRED_PUT_FILES) {

			mutex_lock(&proc->files_lock);

			files = proc->files;

			if (files)

				proc->files = NULL;

			mutex_unlock(&proc->files_lock);

		}



		if (defer & BINDER_DEFERRED_FLUSH)