Gh0st
/
linux
mirror of https://github.com/torvalds/linux.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
linux/drivers
History
Carlos Llamas 7e20434cbc binder: fix freeze UAF in binder_release_work() 
When a binder reference is cleaned up, any freeze work queued in the
associated process should also be removed. Otherwise, the reference is
freed while its ref->freeze.work is still queued in proc->work leading
to a use-after-free issue as shown by the following KASAN report:

  ==================================================================
  BUG: KASAN: slab-use-after-free in binder_release_work+0x398/0x3d0
  Read of size 8 at addr ffff31600ee91488 by task kworker/5:1/211

  CPU: 5 UID: 0 PID: 211 Comm: kworker/5:1 Not tainted 6.11.0-rc7-00382-gfc6c92196396 #22
  Hardware name: linux,dummy-virt (DT)
  Workqueue: events binder_deferred_func
  Call trace:
   binder_release_work+0x398/0x3d0
   binder_deferred_func+0xb60/0x109c
   process_one_work+0x51c/0xbd4
   worker_thread+0x608/0xee8

  Allocated by task 703:
   __kmalloc_cache_noprof+0x130/0x280
   binder_thread_write+0xdb4/0x42a0
   binder_ioctl+0x18f0/0x25ac
   __arm64_sys_ioctl+0x124/0x190
   invoke_syscall+0x6c/0x254

  Freed by task 211:
   kfree+0xc4/0x230
   binder_deferred_func+0xae8/0x109c
   process_one_work+0x51c/0xbd4
   worker_thread+0x608/0xee8
  ==================================================================

This commit fixes the issue by ensuring any queued freeze work is removed
when cleaning up a binder reference.

Fixes: d579b04a52 ("binder: frozen notification")
Cc: stable@vger.kernel.org
Acked-by: Todd Kjos <tkjos@android.com>
Reviewed-by: Alice Ryhl <aliceryhl@google.com>
Signed-off-by: Carlos Llamas <cmllamas@google.com>
Link: https://lore.kernel.org/r/20240926233632.821189-4-cmllamas@google.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 		2024-10-13 17:12:21 +02:00
..
accel dma-mapping updates for linux 6.12 2024-09-19 11:12:49 +02:00
accessibility
acpi cxl fixes for 6.12-rc2 2024-10-05 10:40:16 -07:00
amba
android binder: fix freeze UAF in binder_release_work() 2024-10-13 17:12:21 +02:00
ata move asm/unaligned.h to linux/unaligned.h 2024-10-02 17:23:23 -04:00
atm
auxdisplay move asm/unaligned.h to linux/unaligned.h 2024-10-02 17:23:23 -04:00
base move asm/unaligned.h to linux/unaligned.h 2024-10-02 17:23:23 -04:00
bcma
block block-6.12-20241004 2024-10-04 10:43:44 -07:00
bluetooth Including fixes from ieee802154, bluetooth and netfilter. 2024-10-03 09:44:00 -07:00
bus Driver core update for 6.12-rc1 2024-09-27 08:48:37 -07:00
cache
cdrom
cdx
char move asm/unaligned.h to linux/unaligned.h 2024-10-02 17:23:23 -04:00
clk move asm/unaligned.h to linux/unaligned.h 2024-10-02 17:23:23 -04:00
clocksource Updates for x86 timers: 2024-09-17 15:27:01 +02:00
comedi move asm/unaligned.h to linux/unaligned.h 2024-10-02 17:23:23 -04:00
connector
counter move asm/unaligned.h to linux/unaligned.h 2024-10-02 17:23:23 -04:00
cpufreq Power management fixes for 6.12-rc2 2024-10-04 11:57:15 -07:00
cpuidle pmdomain core: 2024-09-18 10:49:45 +02:00
crypto move asm/unaligned.h to linux/unaligned.h 2024-10-02 17:23:23 -04:00
cxl move asm/unaligned.h to linux/unaligned.h 2024-10-02 17:23:23 -04:00
dax
dca
devfreq
dio
dma soc: convert ep93xx to devicetree 2024-09-26 12:00:25 -07:00
dma-buf drm next for 6.12-rc1 2024-09-19 10:18:15 +02:00
dpll
edac
eisa
extcon Char/Misc and other driver changes for 6.12-rc1 2024-09-26 10:13:08 -07:00
firewire move asm/unaligned.h to linux/unaligned.h 2024-10-02 17:23:23 -04:00
firmware drm fixes for 6.12-rc2 2024-10-04 11:25:14 -07:00
fpga move asm/unaligned.h to linux/unaligned.h 2024-10-02 17:23:23 -04:00
fsi move asm/unaligned.h to linux/unaligned.h 2024-10-02 17:23:23 -04:00
gnss [tree-wide] finally take no_llseek out 2024-09-27 08:18:43 -07:00
gpio gpiolib: Fix potential NULL pointer dereference in gpiod_get_label() 2024-10-03 20:51:47 +02:00
gpu drm fixes for 6.12-rc2 2024-10-04 11:25:14 -07:00
greybus move asm/unaligned.h to linux/unaligned.h 2024-10-02 17:23:23 -04:00
hid Getting rid of asm/unaligned.h includes 2024-10-02 16:42:28 -07:00
hsi
hte
hv drm next for 6.12-rc1 2024-09-19 10:18:15 +02:00
hwmon move asm/unaligned.h to linux/unaligned.h 2024-10-02 17:23:23 -04:00
hwspinlock
hwtracing [tree-wide] finally take no_llseek out 2024-09-27 08:18:43 -07:00
i2c i2c-for-6.12-rc2 2024-10-05 10:31:04 -07:00
i3c i3c: master: svc: Fix use after free vulnerability in svc_i3c_master Driver Due to Race Condition 2024-09-17 16:51:45 +02:00
idle intel_idle: fix ACPI _CST matching for newer Xeon platforms 2024-09-25 22:30:33 +02:00
iio move asm/unaligned.h to linux/unaligned.h 2024-10-02 17:23:23 -04:00
infiniband [tree-wide] finally take no_llseek out 2024-09-27 08:18:43 -07:00
input Getting rid of asm/unaligned.h includes 2024-10-02 16:42:28 -07:00
interconnect
iommu [tree-wide] finally take no_llseek out 2024-09-27 08:18:43 -07:00
ipack
irqchip Merge tag 'irq-core-2024-09-16' into loongarch-next 2024-09-17 22:20:12 +08:00
isdn move asm/unaligned.h to linux/unaligned.h 2024-10-02 17:23:23 -04:00
leds move asm/unaligned.h to linux/unaligned.h 2024-10-02 17:23:23 -04:00
macintosh move asm/unaligned.h to linux/unaligned.h 2024-10-02 17:23:23 -04:00
mailbox mailbox, remoteproc: omap2+: fix compile testing 2024-09-27 09:11:05 -05:00
mcb
md Getting rid of asm/unaligned.h includes 2024-10-02 16:42:28 -07:00
media move asm/unaligned.h to linux/unaligned.h 2024-10-02 17:23:23 -04:00
memory
memstick move asm/unaligned.h to linux/unaligned.h 2024-10-02 17:23:23 -04:00
message SCSI misc on 20240928 2024-09-29 09:22:34 -07:00
mfd move asm/unaligned.h to linux/unaligned.h 2024-10-02 17:23:23 -04:00
misc rpmb: Remove some useless locking 2024-10-13 17:11:51 +02:00
mmc move asm/unaligned.h to linux/unaligned.h 2024-10-02 17:23:23 -04:00
most
mtd move asm/unaligned.h to linux/unaligned.h 2024-10-02 17:23:23 -04:00
mux
net Including fixes from ieee802154, bluetooth and netfilter. 2024-10-03 09:44:00 -07:00
nfc move asm/unaligned.h to linux/unaligned.h 2024-10-02 17:23:23 -04:00
ntb ntb: Force physically contiguous allocation of rx ring buffers 2024-09-20 10:51:25 -04:00
nubus
nvdimm virtio: features, fixes, cleanups 2024-09-26 08:43:17 -07:00
nvme move asm/unaligned.h to linux/unaligned.h 2024-10-02 17:23:23 -04:00
nvmem Char/Misc and other driver changes for 6.12-rc1 2024-09-26 10:13:08 -07:00
of Kbuild updates for v6.12 2024-09-24 13:02:06 -07:00
opp
parisc
parport
pci move asm/unaligned.h to linux/unaligned.h 2024-10-02 17:23:23 -04:00
pcmcia move asm/unaligned.h to linux/unaligned.h 2024-10-02 17:23:23 -04:00
peci move asm/unaligned.h to linux/unaligned.h 2024-10-02 17:23:23 -04:00
perf drivers/perf: riscv: Align errno for unsupported perf event 2024-10-01 02:47:39 -07:00
phy phy-for-6.12 2024-09-23 14:05:10 -07:00
pinctrl soc: convert ep93xx to devicetree 2024-09-26 12:00:25 -07:00
platform platform-drivers-x86 for v6.12-2 2024-10-06 11:11:01 -07:00
pmdomain
pnp
power move asm/unaligned.h to linux/unaligned.h 2024-10-02 17:23:23 -04:00
powercap
pps [tree-wide] finally take no_llseek out 2024-09-27 08:18:43 -07:00
ps3
ptp move asm/unaligned.h to linux/unaligned.h 2024-10-02 17:23:23 -04:00
pwm soc: convert ep93xx to devicetree 2024-09-26 12:00:25 -07:00
rapidio
ras
regulator
remoteproc mhu-v3, omap2+ : fix kconfig dependencies 2024-09-29 09:53:04 -07:00
reset
rpmsg
rtc move asm/unaligned.h to linux/unaligned.h 2024-10-02 17:23:23 -04:00
s390 more s390 updates for 6.12 merge window 2024-09-28 09:11:46 -07:00
sbus [tree-wide] finally take no_llseek out 2024-09-27 08:18:43 -07:00
scsi move asm/unaligned.h to linux/unaligned.h 2024-10-02 17:23:23 -04:00
sh sh: intc: Replace simple_strtoul() with kstrtoul() 2024-09-26 17:25:29 +02:00
siox
slimbus
soc move asm/unaligned.h to linux/unaligned.h 2024-10-02 17:23:23 -04:00
soundwire soundwire updates for 6.12 2024-09-23 14:00:46 -07:00
spi spi: Fixes for v6.12 2024-10-05 10:25:04 -07:00
spmi
ssb
staging move asm/unaligned.h to linux/unaligned.h 2024-10-02 17:23:23 -04:00
target move asm/unaligned.h to linux/unaligned.h 2024-10-02 17:23:23 -04:00
tc
tee
thermal move asm/unaligned.h to linux/unaligned.h 2024-10-02 17:23:23 -04:00
thunderbolt
tty move asm/unaligned.h to linux/unaligned.h 2024-10-02 17:23:23 -04:00
ufs move asm/unaligned.h to linux/unaligned.h 2024-10-02 17:23:23 -04:00
uio
usb move asm/unaligned.h to linux/unaligned.h 2024-10-02 17:23:23 -04:00
vdpa virtio: features, fixes, cleanups 2024-09-26 08:43:17 -07:00
vfio [tree-wide] finally take no_llseek out 2024-09-27 08:18:43 -07:00
vhost move asm/unaligned.h to linux/unaligned.h 2024-10-02 17:23:23 -04:00
video move asm/unaligned.h to linux/unaligned.h 2024-10-02 17:23:23 -04:00
virt [tree-wide] finally take no_llseek out 2024-09-27 08:18:43 -07:00
virtio virtio: features, fixes, cleanups 2024-09-26 08:43:17 -07:00
w1
watchdog move asm/unaligned.h to linux/unaligned.h 2024-10-02 17:23:23 -04:00
xen xen: Fix config option reference in XEN_PRIVCMD definition 2024-10-02 16:14:30 +02:00
zorro
Kconfig
Makefile