Commit 51d8a7ec authored Oct 08, 2019 by Christian Brauner Committed by Greg Kroah-Hartman Oct 10, 2019

binder: prevent UAF read in print_binder_transaction_log_entry()

When a binder transaction is initiated on a binder device coming from a
binderfs instance, a pointer to the name of the binder device is stashed
in the binder_transaction_log_entry's context_name member. Later on it
is used to print the name in print_binder_transaction_log_entry(). By
the time print_binder_transaction_log_entry() accesses context_name
binderfs_evict_inode() might have already freed the associated memory
thereby causing a UAF. Do the simple thing and prevent this by copying
the name of the binder device instead of stashing a pointer to it.

Reported-by: Jann Horn <jannh@google.com>
Fixes: 03e2e07e ("binder: Make transaction_log available in binderfs")
Link: https://lore.kernel.org/r/CAG48ez14Q0-F8LqsvcNbyR2o6gPW8SHXsm4u5jmD9MpsteM2Tw@mail.gmail.com

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Reviewed-by: Joel Fernandes (Google) <joel@joelfernandes.org>
Acked-by: Todd Kjos <tkjos@google.com>
Reviewed-by: Hridya Valsaraju <hridya@google.com>
Link: https://lore.kernel.org/r/20191008130159.10161-1-christian.brauner@ubuntu.com

Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

parent fc739a05

drivers/android/binder.c

+3 −1

Original line number	Diff line number	Diff line
		@@ -57,6 +57,7 @@
		#include <linux/sched/signal.h>
		#include <linux/sched/mm.h>
		#include <linux/seq_file.h>
		#include <linux/string.h>
		#include <linux/uaccess.h>
		#include <linux/pid_namespace.h>
		#include <linux/security.h>
		@@ -66,6 +67,7 @@
		#include <linux/task_work.h>

		#include <uapi/linux/android/binder.h>
		#include <uapi/linux/android/binderfs.h>

		#include <asm/cacheflush.h>

		@@ -2876,7 +2878,7 @@ static void binder_transaction(struct binder_proc *proc,
		e->target_handle = tr->target.handle;
		e->data_size = tr->data_size;
		e->offsets_size = tr->offsets_size;
		e->context_name = proc->context->name;
		strscpy(e->context_name, proc->context->name, BINDERFS_MAX_NAME);

		if (reply) {
		binder_inner_proc_lock(proc);

+1 −1

Original line number	Diff line number	Diff line
		@@ -130,7 +130,7 @@ struct binder_transaction_log_entry {
		int return_error_line;
		uint32_t return_error;
		uint32_t return_error_param;
		const char *context_name;
		char context_name[BINDERFS_MAX_NAME + 1];
		};

		struct binder_transaction_log {