Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Skip to content
Commit 91aa4700 authored by Anurag Chouhan's avatar Anurag Chouhan Committed by Gerrit - the friendly Code Review server
Browse files

binder: binder: fix possible UAF when freeing buffer 



There is a race between the binder driver cleaning
up a completed transaction via binder_free_transaction()
and a user calling binder_ioctl(BC_FREE_BUFFER) to
release a buffer. It doesn't matter which is first but
they need to be protected against running concurrently
which can result in a UAF.

Bug: 133758011
Change-Id: Ie1426ff3d00218d050d61ff77b333ddf8818b7c9
Signed-off-by: default avatarTodd Kjos <tkjos@google.com>
Git-commit: 0e1b964ab45ea74a54c988228c777d3b701c265f
Git-repo: https://android.googlesource.com/kernel/common/


Signed-off-by: default avatarRahul Shahare <rshaha@codeaurora.org>
Signed-off-by: default avatarNaitik Bharadiya <bharad@codeaurora.org>
Signed-off-by: default avatarAnurag Chouhan <achouhan@codeaurora.org>
parent 5953c3fd
Hide whitespace changes
Inline Side-by-side
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment