From: Todd Kjos <tkjos@google.com>
To: tkjos@google.com, gregkh@linuxfoundation.org,
christian@brauner.io, arve@android.com,
devel@driverdev.osuosl.org, linux-kernel@vger.kernel.org,
maco@google.com
Cc: joel@joelfernandes.org, kernel-team@android.com,
avakj45@gmail.com, Dan Carpenter <dan.carpenter@oracle.com>
Subject: [PATCH v2 1/4] binder: fix handling of error during copy
Date: Tue, 30 Nov 2021 10:51:49 -0800 [thread overview]
Message-ID: <20211130185152.437403-2-tkjos@google.com> (raw)
In-Reply-To: <20211130185152.437403-1-tkjos@google.com>
If a memory copy function fails to copy the whole buffer,
a positive integar with the remaining bytes is returned.
In binder_translate_fd_array() this can result in an fd being
skipped due to the failed copy, but the loop continues
processing fds since the early return condition expects a
negative integer on error.
Fix by returning "ret > 0 ? -EINVAL : ret" to handle this case.
Fixes: bb4a2e48d510 ("binder: return errors from buffer copy functions")
Suggested-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Todd Kjos <tkjos@google.com>
---
v2: Added this patch to fix bug noticed by Dan Carpenter
drivers/android/binder.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/android/binder.c b/drivers/android/binder.c
index 49fb74196d02..984e6263dcc7 100644
--- a/drivers/android/binder.c
+++ b/drivers/android/binder.c
@@ -2269,8 +2269,8 @@ static int binder_translate_fd_array(struct binder_fd_array_object *fda,
if (!ret)
ret = binder_translate_fd(fd, offset, t, thread,
in_reply_to);
- if (ret < 0)
- return ret;
+ if (ret)
+ return ret > 0 ? -EINVAL : ret;
}
return 0;
}
--
2.34.0.rc2.393.gf8c9666880-goog
next prev parent reply other threads:[~2021-11-30 18:52 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-11-30 18:51 [PATCH v2 0/4] binder: Prevent untranslated sender data from being copied to target Todd Kjos
2021-11-30 18:51 ` Todd Kjos [this message]
2021-12-01 13:49 ` [PATCH v2 1/4] binder: fix handling of error during copy Christian Brauner
2021-11-30 18:51 ` [PATCH v2 2/4] binder: avoid potential data leakage when copying txn Todd Kjos
2021-12-01 13:54 ` Christian Brauner
2021-11-30 18:51 ` [PATCH v2 3/4] binder: read pre-translated fds from sender buffer Todd Kjos
2021-12-01 13:58 ` Christian Brauner
2021-11-30 18:51 ` [PATCH v2 4/4] binder: defer copies of pre-patched txn data Todd Kjos
2021-12-01 6:13 ` [PATCH v2 0/4] binder: Prevent untranslated sender data from being copied to target Dan Carpenter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20211130185152.437403-2-tkjos@google.com \
--to=tkjos@google.com \
--cc=arve@android.com \
--cc=avakj45@gmail.com \
--cc=christian@brauner.io \
--cc=dan.carpenter@oracle.com \
--cc=devel@driverdev.osuosl.org \
--cc=gregkh@linuxfoundation.org \
--cc=joel@joelfernandes.org \
--cc=kernel-team@android.com \
--cc=linux-kernel@vger.kernel.org \
--cc=maco@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.