From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Todd Kjos <tkjos@google.com>
Subject: [PATCH 4.14 14/19] binder: fix async_free_space accounting for empty parcels
Date: Mon, 3 Jan 2022 15:21:31 +0100 [thread overview]
Message-ID: <20220103142052.537383824@linuxfoundation.org> (raw)
In-Reply-To: <20220103142052.068378906@linuxfoundation.org>
From: Todd Kjos <tkjos@google.com>
commit cfd0d84ba28c18b531648c9d4a35ecca89ad9901 upstream.
In 4.13, commit 74310e06be4d ("android: binder: Move buffer out of area shared with user space")
fixed a kernel structure visibility issue. As part of that patch,
sizeof(void *) was used as the buffer size for 0-length data payloads so
the driver could detect abusive clients sending 0-length asynchronous
transactions to a server by enforcing limits on async_free_size.
Unfortunately, on the "free" side, the accounting of async_free_space
did not add the sizeof(void *) back. The result was that up to 8-bytes of
async_free_space were leaked on every async transaction of 8-bytes or
less. These small transactions are uncommon, so this accounting issue
has gone undetected for several years.
The fix is to use "buffer_size" (the allocated buffer size) instead of
"size" (the logical buffer size) when updating the async_free_space
during the free operation. These are the same except for this
corner case of asynchronous transactions with payloads < 8 bytes.
Fixes: 74310e06be4d ("android: binder: Move buffer out of area shared with user space")
Signed-off-by: Todd Kjos <tkjos@google.com>
Cc: stable@vger.kernel.org # 4.14+
Link: https://lore.kernel.org/r/20211220190150.2107077-1-tkjos@google.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/android/binder_alloc.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/android/binder_alloc.c
+++ b/drivers/android/binder_alloc.c
@@ -619,7 +619,7 @@ static void binder_free_buf_locked(struc
BUG_ON(buffer->data > alloc->buffer + alloc->buffer_size);
if (buffer->async_transaction) {
- alloc->free_async_space += size + sizeof(struct binder_buffer);
+ alloc->free_async_space += buffer_size + sizeof(struct binder_buffer);
binder_alloc_debug(BINDER_DEBUG_BUFFER_ALLOC_ASYNC,
"%d: binder_free_buf size %zd async free %zd\n",
next prev parent reply other threads:[~2022-01-03 14:23 UTC|newest]
Thread overview: 24+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-01-03 14:21 [PATCH 4.14 00/19] 4.14.261-rc1 review Greg Kroah-Hartman
2022-01-03 14:21 ` [PATCH 4.14 01/19] HID: asus: Add depends on USB_HID to HID_ASUS Kconfig option Greg Kroah-Hartman
2022-01-03 14:21 ` [PATCH 4.14 02/19] tee: handle lookup of shm with reference count 0 Greg Kroah-Hartman
2022-01-03 14:21 ` [PATCH 4.14 03/19] platform/x86: apple-gmux: use resource_size() with res Greg Kroah-Hartman
2022-01-03 14:21 ` [PATCH 4.14 04/19] recordmcount.pl: fix typo in s390 mcount regex Greg Kroah-Hartman
2022-01-03 14:21 ` [PATCH 4.14 05/19] selinux: initialize proto variable in selinux_ip_postroute_compat() Greg Kroah-Hartman
2022-01-03 14:21 ` [PATCH 4.14 06/19] scsi: lpfc: Terminate string in lpfc_debugfs_nvmeio_trc_write() Greg Kroah-Hartman
2022-01-03 14:21 ` [PATCH 4.14 07/19] net: usb: pegasus: Do not drop long Ethernet frames Greg Kroah-Hartman
2022-01-03 14:21 ` [PATCH 4.14 08/19] NFC: st21nfca: Fix memory leak in device probe and remove Greg Kroah-Hartman
2022-01-03 14:21 ` [PATCH 4.14 09/19] fsl/fman: Fix missing put_device() call in fman_port_probe Greg Kroah-Hartman
2022-01-03 14:21 ` [PATCH 4.14 10/19] nfc: uapi: use kernel size_t to fix user-space builds Greg Kroah-Hartman
2022-01-03 14:21 ` [PATCH 4.14 11/19] uapi: fix linux/nfc.h userspace compilation errors Greg Kroah-Hartman
2022-01-03 14:21 ` [PATCH 4.14 12/19] xhci: Fresco FL1100 controller should not have BROKEN_MSI quirk set Greg Kroah-Hartman
2022-01-03 14:21 ` [PATCH 4.14 13/19] usb: gadget: f_fs: Clear ffs_eventfd in ffs_data_clear Greg Kroah-Hartman
2022-01-03 14:21 ` Greg Kroah-Hartman [this message]
2022-01-03 14:21 ` [PATCH 4.14 15/19] scsi: vmw_pvscsi: Set residual data length conditionally Greg Kroah-Hartman
2022-01-03 14:21 ` [PATCH 4.14 16/19] Input: appletouch - initialize work before device registration Greg Kroah-Hartman
2022-01-03 14:21 ` [PATCH 4.14 17/19] Input: spaceball - fix parsing of movement data packets Greg Kroah-Hartman
2022-01-03 14:21 ` [PATCH 4.14 18/19] net: fix use-after-free in tw_timer_handler Greg Kroah-Hartman
2022-01-03 14:21 ` [PATCH 4.14 19/19] sctp: use call_rcu to free endpoint Greg Kroah-Hartman
2022-01-04 1:24 ` [PATCH 4.14 00/19] 4.14.261-rc1 review Guenter Roeck
2022-01-04 9:53 ` Jon Hunter
2022-01-04 13:39 ` Naresh Kamboju
2022-01-05 2:19 ` Shuah Khan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220103142052.537383824@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=tkjos@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.