From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-14.3 required=3.0 tests=DKIMWL_WL_MED,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_PATCH, MAILING_LIST_MULTI,SIGNED_OFF_BY,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED, USER_IN_DEF_DKIM_WL autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 60683C433E0 for ; Thu, 9 Jul 2020 22:54:54 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 35BD420786 for ; Thu, 9 Jul 2020 22:54:54 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="oiAxobyV" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726989AbgGIWyw (ORCPT ); Thu, 9 Jul 2020 18:54:52 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:41094 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726228AbgGIWyw (ORCPT ); Thu, 9 Jul 2020 18:54:52 -0400 Received: from mail-ed1-x543.google.com (mail-ed1-x543.google.com [IPv6:2a00:1450:4864:20::543]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id BA58BC08C5CE for ; Thu, 9 Jul 2020 15:54:51 -0700 (PDT) Received: by mail-ed1-x543.google.com with SMTP id d18so3108217edv.6 for ; Thu, 09 Jul 2020 15:54:51 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=h3E9CmP5pzqqITk3EJ5pCRFF7120Umpn5DkCt3PZmyI=; b=oiAxobyVHtmcT1uDdRMJ5KCPYgiJcvwg0bT1wajNVARoK+DbSmJJH5GxohbU2nIXcM Md7jqXoAgG2YNCHynS+jYIxySL/eeY/W5eQ2bBGiSkR9ZLPebSPskM/5ojc9HlENFh7m ZY28rYsR19yHA+3606f8FYuhvf0kWd9VKB2VQI5iRidasRanhGt9foQatc3RxeUF2q5n 1aVv2B23MxyAfxPBr/YN1YDItdj/K45hkyB9lWfpYiZfBSjubtYSnVMNfCi6gSk9ju0P r6QBZRTmNEEhhPCz5z7twQtfxrWiWI3qT7jG4ZixRQXIgjBAxm4HLaiX+LX9dutby4d0 jFcg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=h3E9CmP5pzqqITk3EJ5pCRFF7120Umpn5DkCt3PZmyI=; b=ApDkusx+93vZN/1Q2Nk0s4mtvTYMRMnF9rRWQFQuV3PrBscGKxmyJ2HguEMKopTlLB xUByWtMmX+PNC0t5OJ1+pHygkM30QpzojlOcXNYIxO7kitQIdAbexYgBBac/LazrQAdi bK+Mpecm5pZFg4rXw9wuBnJaK9k9dh5FEMTLDwRzxMYZ8IraxtXDKcsYLngJe/wO9Ygy V2ykf4p7rJ6FX8gU41fojie4CDBocktRbAw1pcXkk+3asVghnPsi8u7P4dJWmI2QcD/u menkhKr7IuSmS0KG9/OhTLhSvNw3sg9OFOrxw5peDXpE9RtDmX6HGE1SzWtIhaPh147j op2A== X-Gm-Message-State: AOAM530MLCPJ8aElHQ/ZEDH1rR5NucFW+S3rKCLUA569JCuc32Qqwf9F eFc6nyl38RqZ+DrWTsD9TSIzoeZ/TmfzAR+ryn28ig== X-Google-Smtp-Source: ABdhPJz9uaSIXcnqe4UJG/4qyWvxlwUPgsKdudNjp8UAkBRNtmqP10AQmMtpHxhnQTomWWTQ1SKnxvYiDJCH0O5UzlM= X-Received: by 2002:a50:c355:: with SMTP id q21mr71840462edb.121.1594335290245; Thu, 09 Jul 2020 15:54:50 -0700 (PDT) MIME-Version: 1.0 References: <20200709223948.1051613-1-jannh@google.com> In-Reply-To: <20200709223948.1051613-1-jannh@google.com> From: Todd Kjos Date: Thu, 9 Jul 2020 15:54:38 -0700 Message-ID: Subject: Re: [PATCH resend] binder: Prevent context manager from incrementing ref 0 To: Jann Horn Cc: Greg Kroah-Hartman , =?UTF-8?B?QXJ2ZSBIasO4bm5ldsOlZw==?= , Todd Kjos , Martijn Coenen , Joel Fernandes , Christian Brauner , "open list:ANDROID DRIVERS" , Mattias Nissler , LKML Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Jul 9, 2020 at 3:40 PM Jann Horn wrote: > > Binder is designed such that a binder_proc never has references to > itself. If this rule is violated, memory corruption can occur when a > process sends a transaction to itself; see e.g. > . > > There is a remaining edgecase through which such a transaction-to-self > can still occur from the context of a task with BINDER_SET_CONTEXT_MGR > access: > > - task A opens /dev/binder twice, creating binder_proc instances P1 > and P2 > - P1 becomes context manager > - P2 calls ACQUIRE on the magic handle 0, allocating index 0 in its > handle table > - P1 dies (by closing the /dev/binder fd and waiting a bit) > - P2 becomes context manager > - P2 calls ACQUIRE on the magic handle 0, allocating index 1 in its > handle table > [this triggers a warning: "binder: 1974:1974 tried to acquire > reference to desc 0, got 1 instead"] > - task B opens /dev/binder once, creating binder_proc instance P3 > - P3 calls P2 (via magic handle 0) with (void*)1 as argument (two-way > transaction) > - P2 receives the handle and uses it to call P3 (two-way transaction) > - P3 calls P2 (via magic handle 0) (two-way transaction) > - P2 calls P2 (via handle 1) (two-way transaction) > > And then, if P2 does *NOT* accept the incoming transaction work, but > instead closes the binder fd, we get a crash. > > Solve it by preventing the context manager from using ACQUIRE on ref 0. > There shouldn't be any legitimate reason for the context manager to do > that. > > Additionally, print a warning if someone manages to find another way to > trigger a transaction-to-self bug in the future. > > Cc: stable@vger.kernel.org > Fixes: 457b9a6f09f0 ("Staging: android: add binder driver") > Signed-off-by: Jann Horn Nice catch. Acked-by: Todd Kjos > --- > sending again because I forgot to CC LKML the first time... sorry about > the spam. > > drivers/android/binder.c | 14 +++++++++++++- > 1 file changed, 13 insertions(+), 1 deletion(-) > > diff --git a/drivers/android/binder.c b/drivers/android/binder.c > index f50c5f182bb5..cac65ff3a257 100644 > --- a/drivers/android/binder.c > +++ b/drivers/android/binder.c > @@ -2982,6 +2982,12 @@ static void binder_transaction(struct binder_proc *proc, > goto err_dead_binder; > } > e->to_node = target_node->debug_id; > + if (WARN_ON(proc == target_proc)) { > + return_error = BR_FAILED_REPLY; > + return_error_param = -EINVAL; > + return_error_line = __LINE__; > + goto err_invalid_target_handle; > + } > if (security_binder_transaction(proc->tsk, > target_proc->tsk) < 0) { > return_error = BR_FAILED_REPLY; > @@ -3635,10 +3641,16 @@ static int binder_thread_write(struct binder_proc *proc, > struct binder_node *ctx_mgr_node; > mutex_lock(&context->context_mgr_node_lock); > ctx_mgr_node = context->binder_context_mgr_node; > - if (ctx_mgr_node) > + if (ctx_mgr_node) { > + if (ctx_mgr_node->proc == proc) { > + binder_user_error("%d:%d context manager tried to acquire desc 0\n"); > + mutex_unlock(&context->context_mgr_node_lock); > + return -EINVAL; > + } > ret = binder_inc_ref_for_node( > proc, ctx_mgr_node, > strong, NULL, &rdata); > + } > mutex_unlock(&context->context_mgr_node_lock); > } > if (ret) > > base-commit: 2a89b99f580371b86ae9bafd6cbeccd3bfab524a > -- > 2.27.0.389.gc38d7665816-goog > From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.5 required=3.0 tests=DKIM_ADSP_CUSTOM_MED, DKIM_INVALID,DKIM_SIGNED,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_PATCH, MAILING_LIST_MULTI,SIGNED_OFF_BY,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 6E3B5C433E1 for ; Thu, 9 Jul 2020 22:54:55 +0000 (UTC) Received: from hemlock.osuosl.org (smtp2.osuosl.org [140.211.166.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 43AC520775 for ; Thu, 9 Jul 2020 22:54:55 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=fail reason="signature verification failed" (2048-bit key) header.d=google.com header.i=@google.com header.b="oiAxobyV" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 43AC520775 Authentication-Results: mail.kernel.org; dmarc=fail (p=reject dis=none) header.from=google.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=driverdev-devel-bounces@linuxdriverproject.org Received: from localhost (localhost [127.0.0.1]) by hemlock.osuosl.org (Postfix) with ESMTP id DFE57898C0; Thu, 9 Jul 2020 22:54:54 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from hemlock.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id F+Ju6D6hY4Nt; Thu, 9 Jul 2020 22:54:54 +0000 (UTC) Received: from ash.osuosl.org (ash.osuosl.org [140.211.166.34]) by hemlock.osuosl.org (Postfix) with ESMTP id 1E0838988B; Thu, 9 Jul 2020 22:54:54 +0000 (UTC) Received: from fraxinus.osuosl.org (smtp4.osuosl.org [140.211.166.137]) by ash.osuosl.org (Postfix) with ESMTP id 7564C1BF310 for ; Thu, 9 Jul 2020 22:54:53 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by fraxinus.osuosl.org (Postfix) with ESMTP id 7206686DB2 for ; Thu, 9 Jul 2020 22:54:53 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from fraxinus.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4RN9xwJl4mF8 for ; Thu, 9 Jul 2020 22:54:52 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6 Received: from mail-ed1-f66.google.com (mail-ed1-f66.google.com [209.85.208.66]) by fraxinus.osuosl.org (Postfix) with ESMTPS id 103FF86BA1 for ; Thu, 9 Jul 2020 22:54:52 +0000 (UTC) Received: by mail-ed1-f66.google.com with SMTP id by13so3086051edb.11 for ; Thu, 09 Jul 2020 15:54:51 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=h3E9CmP5pzqqITk3EJ5pCRFF7120Umpn5DkCt3PZmyI=; b=oiAxobyVHtmcT1uDdRMJ5KCPYgiJcvwg0bT1wajNVARoK+DbSmJJH5GxohbU2nIXcM Md7jqXoAgG2YNCHynS+jYIxySL/eeY/W5eQ2bBGiSkR9ZLPebSPskM/5ojc9HlENFh7m ZY28rYsR19yHA+3606f8FYuhvf0kWd9VKB2VQI5iRidasRanhGt9foQatc3RxeUF2q5n 1aVv2B23MxyAfxPBr/YN1YDItdj/K45hkyB9lWfpYiZfBSjubtYSnVMNfCi6gSk9ju0P r6QBZRTmNEEhhPCz5z7twQtfxrWiWI3qT7jG4ZixRQXIgjBAxm4HLaiX+LX9dutby4d0 jFcg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=h3E9CmP5pzqqITk3EJ5pCRFF7120Umpn5DkCt3PZmyI=; b=mknTgs1gW/oP2n+EbOwhBSDaElvMT9mdamHLGRry0DkbzF5LVxBayzW6IRj0V89HGP FOtDF6OPcllk+9Gy1Ecp87btyRojDj0EC7mEwn8RNsnJQrLwMW0aVQ7BxNfbUDchNjRv xfCt33MeTB9MRJxuFRDQT0KSGZcRZ4pyyrgQm9AoEm5QF+u0lliS4p+hMJbYOY2xf2Bi WtXqwFfEc8tlfgYOlM3e80PgCPrwodvRJk+X0yphE4wWDNgS+rEq5WoI5vcbkelaPEyA AKVdOz96RQaOctseLMhMuyc3gn5SWtW79Y5B0BeBmjjF/r7b2Oxuqccf8DWzR4XWEG4V JeUw== X-Gm-Message-State: AOAM532fSOgdDYLiLaxHUYyDQp4SZg0ovLjAQc9vf22R5DzVE2alCfua eRPuaaG2u4QKvES0LS0Gq1dna9PEvAaYTw1pAwTRnQ== X-Google-Smtp-Source: ABdhPJz9uaSIXcnqe4UJG/4qyWvxlwUPgsKdudNjp8UAkBRNtmqP10AQmMtpHxhnQTomWWTQ1SKnxvYiDJCH0O5UzlM= X-Received: by 2002:a50:c355:: with SMTP id q21mr71840462edb.121.1594335290245; Thu, 09 Jul 2020 15:54:50 -0700 (PDT) MIME-Version: 1.0 References: <20200709223948.1051613-1-jannh@google.com> In-Reply-To: <20200709223948.1051613-1-jannh@google.com> From: Todd Kjos Date: Thu, 9 Jul 2020 15:54:38 -0700 Message-ID: Subject: Re: [PATCH resend] binder: Prevent context manager from incrementing ref 0 To: Jann Horn X-BeenThere: driverdev-devel@linuxdriverproject.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Linux Driver Project Developer List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: "open list:ANDROID DRIVERS" , Todd Kjos , Greg Kroah-Hartman , LKML , =?UTF-8?B?QXJ2ZSBIasO4bm5ldsOlZw==?= , Mattias Nissler , Joel Fernandes , Martijn Coenen , Christian Brauner Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: driverdev-devel-bounces@linuxdriverproject.org Sender: "devel" On Thu, Jul 9, 2020 at 3:40 PM Jann Horn wrote: > > Binder is designed such that a binder_proc never has references to > itself. If this rule is violated, memory corruption can occur when a > process sends a transaction to itself; see e.g. > . > > There is a remaining edgecase through which such a transaction-to-self > can still occur from the context of a task with BINDER_SET_CONTEXT_MGR > access: > > - task A opens /dev/binder twice, creating binder_proc instances P1 > and P2 > - P1 becomes context manager > - P2 calls ACQUIRE on the magic handle 0, allocating index 0 in its > handle table > - P1 dies (by closing the /dev/binder fd and waiting a bit) > - P2 becomes context manager > - P2 calls ACQUIRE on the magic handle 0, allocating index 1 in its > handle table > [this triggers a warning: "binder: 1974:1974 tried to acquire > reference to desc 0, got 1 instead"] > - task B opens /dev/binder once, creating binder_proc instance P3 > - P3 calls P2 (via magic handle 0) with (void*)1 as argument (two-way > transaction) > - P2 receives the handle and uses it to call P3 (two-way transaction) > - P3 calls P2 (via magic handle 0) (two-way transaction) > - P2 calls P2 (via handle 1) (two-way transaction) > > And then, if P2 does *NOT* accept the incoming transaction work, but > instead closes the binder fd, we get a crash. > > Solve it by preventing the context manager from using ACQUIRE on ref 0. > There shouldn't be any legitimate reason for the context manager to do > that. > > Additionally, print a warning if someone manages to find another way to > trigger a transaction-to-self bug in the future. > > Cc: stable@vger.kernel.org > Fixes: 457b9a6f09f0 ("Staging: android: add binder driver") > Signed-off-by: Jann Horn Nice catch. Acked-by: Todd Kjos > --- > sending again because I forgot to CC LKML the first time... sorry about > the spam. > > drivers/android/binder.c | 14 +++++++++++++- > 1 file changed, 13 insertions(+), 1 deletion(-) > > diff --git a/drivers/android/binder.c b/drivers/android/binder.c > index f50c5f182bb5..cac65ff3a257 100644 > --- a/drivers/android/binder.c > +++ b/drivers/android/binder.c > @@ -2982,6 +2982,12 @@ static void binder_transaction(struct binder_proc *proc, > goto err_dead_binder; > } > e->to_node = target_node->debug_id; > + if (WARN_ON(proc == target_proc)) { > + return_error = BR_FAILED_REPLY; > + return_error_param = -EINVAL; > + return_error_line = __LINE__; > + goto err_invalid_target_handle; > + } > if (security_binder_transaction(proc->tsk, > target_proc->tsk) < 0) { > return_error = BR_FAILED_REPLY; > @@ -3635,10 +3641,16 @@ static int binder_thread_write(struct binder_proc *proc, > struct binder_node *ctx_mgr_node; > mutex_lock(&context->context_mgr_node_lock); > ctx_mgr_node = context->binder_context_mgr_node; > - if (ctx_mgr_node) > + if (ctx_mgr_node) { > + if (ctx_mgr_node->proc == proc) { > + binder_user_error("%d:%d context manager tried to acquire desc 0\n"); > + mutex_unlock(&context->context_mgr_node_lock); > + return -EINVAL; > + } > ret = binder_inc_ref_for_node( > proc, ctx_mgr_node, > strong, NULL, &rdata); > + } > mutex_unlock(&context->context_mgr_node_lock); > } > if (ret) > > base-commit: 2a89b99f580371b86ae9bafd6cbeccd3bfab524a > -- > 2.27.0.389.gc38d7665816-goog > _______________________________________________ devel mailing list devel@linuxdriverproject.org http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel