From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: Jann Horn <jannh@google.com>
Cc: "Arve Hjønnevåg" <arve@android.com>,
"Todd Kjos" <tkjos@android.com>,
"Martijn Coenen" <maco@android.com>,
"Joel Fernandes" <joel@joelfernandes.org>,
"Christian Brauner" <christian@brauner.io>,
devel@driverdev.osuosl.org,
"Mattias Nissler" <mnissler@google.com>,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH resend] binder: Prevent context manager from incrementing ref 0
Date: Fri, 10 Jul 2020 08:54:18 +0200 [thread overview]
Message-ID: <20200710065418.GA1143105@kroah.com> (raw)
In-Reply-To: <20200709223948.1051613-1-jannh@google.com>
On Fri, Jul 10, 2020 at 12:39:48AM +0200, Jann Horn wrote:
> Binder is designed such that a binder_proc never has references to
> itself. If this rule is violated, memory corruption can occur when a
> process sends a transaction to itself; see e.g.
> <https://syzkaller.appspot.com/bug?extid=09e05aba06723a94d43d>.
>
> There is a remaining edgecase through which such a transaction-to-self
> can still occur from the context of a task with BINDER_SET_CONTEXT_MGR
> access:
>
> - task A opens /dev/binder twice, creating binder_proc instances P1
> and P2
> - P1 becomes context manager
> - P2 calls ACQUIRE on the magic handle 0, allocating index 0 in its
> handle table
> - P1 dies (by closing the /dev/binder fd and waiting a bit)
> - P2 becomes context manager
> - P2 calls ACQUIRE on the magic handle 0, allocating index 1 in its
> handle table
> [this triggers a warning: "binder: 1974:1974 tried to acquire
> reference to desc 0, got 1 instead"]
> - task B opens /dev/binder once, creating binder_proc instance P3
> - P3 calls P2 (via magic handle 0) with (void*)1 as argument (two-way
> transaction)
> - P2 receives the handle and uses it to call P3 (two-way transaction)
> - P3 calls P2 (via magic handle 0) (two-way transaction)
> - P2 calls P2 (via handle 1) (two-way transaction)
>
> And then, if P2 does *NOT* accept the incoming transaction work, but
> instead closes the binder fd, we get a crash.
>
> Solve it by preventing the context manager from using ACQUIRE on ref 0.
> There shouldn't be any legitimate reason for the context manager to do
> that.
>
> Additionally, print a warning if someone manages to find another way to
> trigger a transaction-to-self bug in the future.
>
> Cc: stable@vger.kernel.org
> Fixes: 457b9a6f09f0 ("Staging: android: add binder driver")
> Signed-off-by: Jann Horn <jannh@google.com>
> Acked-by: Todd Kjos <tkjos@google.com>
> ---
> sending again because I forgot to CC LKML the first time... sorry about
> the spam.
This spits out a bunch of warnings when built, how did it work on your
end?
drivers/android/binder.c: In function ‘binder_thread_write’:
./include/linux/kern_levels.h:5:18: warning: format ‘%d’ expects a matching ‘int’ argument [-Wformat=]
5 | #define KERN_SOH "\001" /* ASCII Start Of Header */
| ^~~~~~
./include/linux/printk.h:507:10: note: in definition of macro ‘printk_ratelimited’
507 | printk(fmt, ##__VA_ARGS__); \
| ^~~
./include/linux/kern_levels.h:14:19: note: in expansion of macro ‘KERN_SOH’
14 | #define KERN_INFO KERN_SOH "6" /* informational */
| ^~~~~~~~
./include/linux/printk.h:527:21: note: in expansion of macro ‘KERN_INFO’
527 | printk_ratelimited(KERN_INFO pr_fmt(fmt), ##__VA_ARGS__)
| ^~~~~~~~~
drivers/android/binder.c:147:4: note: in expansion of macro ‘pr_info_ratelimited’
147 | pr_info_ratelimited(x); \
| ^~~~~~~~~~~~~~~~~~~
drivers/android/binder.c:3646:7: note: in expansion of macro ‘binder_user_error’
3646 | binder_user_error("%d:%d context manager tried to acquire desc 0\n");
| ^~~~~~~~~~~~~~~~~
./include/linux/kern_levels.h:5:18: warning: format ‘%d’ expects a matching ‘int’ argument [-Wformat=]
5 | #define KERN_SOH "\001" /* ASCII Start Of Header */
| ^~~~~~
./include/linux/printk.h:507:10: note: in definition of macro ‘printk_ratelimited’
507 | printk(fmt, ##__VA_ARGS__); \
| ^~~
./include/linux/kern_levels.h:14:19: note: in expansion of macro ‘KERN_SOH’
14 | #define KERN_INFO KERN_SOH "6" /* informational */
| ^~~~~~~~
./include/linux/printk.h:527:21: note: in expansion of macro ‘KERN_INFO’
527 | printk_ratelimited(KERN_INFO pr_fmt(fmt), ##__VA_ARGS__)
| ^~~~~~~~~
drivers/android/binder.c:147:4: note: in expansion of macro ‘pr_info_ratelimited’
147 | pr_info_ratelimited(x); \
| ^~~~~~~~~~~~~~~~~~~
drivers/android/binder.c:3646:7: note: in expansion of macro ‘binder_user_error’
3646 | binder_user_error("%d:%d context manager tried to acquire desc 0\n");
| ^~~~~~~~~~~~~~~~~
thanks,
greg k-h
WARNING: multiple messages have this Message-ID (diff)
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: Jann Horn <jannh@google.com>
Cc: devel@driverdev.osuosl.org, "Todd Kjos" <tkjos@android.com>,
"Mattias Nissler" <mnissler@google.com>,
linux-kernel@vger.kernel.org, "Arve Hjønnevåg" <arve@android.com>,
"Joel Fernandes" <joel@joelfernandes.org>,
"Martijn Coenen" <maco@android.com>,
"Christian Brauner" <christian@brauner.io>
Subject: Re: [PATCH resend] binder: Prevent context manager from incrementing ref 0
Date: Fri, 10 Jul 2020 08:54:18 +0200 [thread overview]
Message-ID: <20200710065418.GA1143105@kroah.com> (raw)
In-Reply-To: <20200709223948.1051613-1-jannh@google.com>
On Fri, Jul 10, 2020 at 12:39:48AM +0200, Jann Horn wrote:
> Binder is designed such that a binder_proc never has references to
> itself. If this rule is violated, memory corruption can occur when a
> process sends a transaction to itself; see e.g.
> <https://syzkaller.appspot.com/bug?extid=09e05aba06723a94d43d>.
>
> There is a remaining edgecase through which such a transaction-to-self
> can still occur from the context of a task with BINDER_SET_CONTEXT_MGR
> access:
>
> - task A opens /dev/binder twice, creating binder_proc instances P1
> and P2
> - P1 becomes context manager
> - P2 calls ACQUIRE on the magic handle 0, allocating index 0 in its
> handle table
> - P1 dies (by closing the /dev/binder fd and waiting a bit)
> - P2 becomes context manager
> - P2 calls ACQUIRE on the magic handle 0, allocating index 1 in its
> handle table
> [this triggers a warning: "binder: 1974:1974 tried to acquire
> reference to desc 0, got 1 instead"]
> - task B opens /dev/binder once, creating binder_proc instance P3
> - P3 calls P2 (via magic handle 0) with (void*)1 as argument (two-way
> transaction)
> - P2 receives the handle and uses it to call P3 (two-way transaction)
> - P3 calls P2 (via magic handle 0) (two-way transaction)
> - P2 calls P2 (via handle 1) (two-way transaction)
>
> And then, if P2 does *NOT* accept the incoming transaction work, but
> instead closes the binder fd, we get a crash.
>
> Solve it by preventing the context manager from using ACQUIRE on ref 0.
> There shouldn't be any legitimate reason for the context manager to do
> that.
>
> Additionally, print a warning if someone manages to find another way to
> trigger a transaction-to-self bug in the future.
>
> Cc: stable@vger.kernel.org
> Fixes: 457b9a6f09f0 ("Staging: android: add binder driver")
> Signed-off-by: Jann Horn <jannh@google.com>
> Acked-by: Todd Kjos <tkjos@google.com>
> ---
> sending again because I forgot to CC LKML the first time... sorry about
> the spam.
This spits out a bunch of warnings when built, how did it work on your
end?
drivers/android/binder.c: In function ‘binder_thread_write’:
./include/linux/kern_levels.h:5:18: warning: format ‘%d’ expects a matching ‘int’ argument [-Wformat=]
5 | #define KERN_SOH "\001" /* ASCII Start Of Header */
| ^~~~~~
./include/linux/printk.h:507:10: note: in definition of macro ‘printk_ratelimited’
507 | printk(fmt, ##__VA_ARGS__); \
| ^~~
./include/linux/kern_levels.h:14:19: note: in expansion of macro ‘KERN_SOH’
14 | #define KERN_INFO KERN_SOH "6" /* informational */
| ^~~~~~~~
./include/linux/printk.h:527:21: note: in expansion of macro ‘KERN_INFO’
527 | printk_ratelimited(KERN_INFO pr_fmt(fmt), ##__VA_ARGS__)
| ^~~~~~~~~
drivers/android/binder.c:147:4: note: in expansion of macro ‘pr_info_ratelimited’
147 | pr_info_ratelimited(x); \
| ^~~~~~~~~~~~~~~~~~~
drivers/android/binder.c:3646:7: note: in expansion of macro ‘binder_user_error’
3646 | binder_user_error("%d:%d context manager tried to acquire desc 0\n");
| ^~~~~~~~~~~~~~~~~
./include/linux/kern_levels.h:5:18: warning: format ‘%d’ expects a matching ‘int’ argument [-Wformat=]
5 | #define KERN_SOH "\001" /* ASCII Start Of Header */
| ^~~~~~
./include/linux/printk.h:507:10: note: in definition of macro ‘printk_ratelimited’
507 | printk(fmt, ##__VA_ARGS__); \
| ^~~
./include/linux/kern_levels.h:14:19: note: in expansion of macro ‘KERN_SOH’
14 | #define KERN_INFO KERN_SOH "6" /* informational */
| ^~~~~~~~
./include/linux/printk.h:527:21: note: in expansion of macro ‘KERN_INFO’
527 | printk_ratelimited(KERN_INFO pr_fmt(fmt), ##__VA_ARGS__)
| ^~~~~~~~~
drivers/android/binder.c:147:4: note: in expansion of macro ‘pr_info_ratelimited’
147 | pr_info_ratelimited(x); \
| ^~~~~~~~~~~~~~~~~~~
drivers/android/binder.c:3646:7: note: in expansion of macro ‘binder_user_error’
3646 | binder_user_error("%d:%d context manager tried to acquire desc 0\n");
| ^~~~~~~~~~~~~~~~~
thanks,
greg k-h
_______________________________________________
devel mailing list
devel@linuxdriverproject.org
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel
next prev parent reply other threads:[~2020-07-10 6:54 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-07-09 22:39 [PATCH resend] binder: Prevent context manager from incrementing ref 0 Jann Horn
2020-07-09 22:39 ` Jann Horn
2020-07-09 22:54 ` Todd Kjos
2020-07-09 22:54 ` Todd Kjos
2020-07-10 6:54 ` Greg Kroah-Hartman [this message]
2020-07-10 6:54 ` Greg Kroah-Hartman
2020-07-10 10:27 ` Jann Horn
2020-07-10 10:27 ` Jann Horn
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200710065418.GA1143105@kroah.com \
--to=gregkh@linuxfoundation.org \
--cc=arve@android.com \
--cc=christian@brauner.io \
--cc=devel@driverdev.osuosl.org \
--cc=jannh@google.com \
--cc=joel@joelfernandes.org \
--cc=linux-kernel@vger.kernel.org \
--cc=maco@android.com \
--cc=mnissler@google.com \
--cc=tkjos@android.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.