From nobody Fri Nov 29 04:52:28 2024 Received: from mail-pg1-f201.google.com (mail-pg1-f201.google.com [209.85.215.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 2406E1AC8AC for ; Tue, 24 Sep 2024 18:44:06 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.215.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1727203448; cv=none; b=obEKX0XW0IG0iBEkSw+CRcZ+w9E9dBYZpwDtM2+8quLLupM3hiYwTu156HFQw61XVOHbjsGZjasepzHKj//YyubIlMQfkRdSGI22x83l+n83xTSCtlDgeT68E2EGGsdIpS1ZA6tAb/m+u+4V5nicuz6Q6fCF7yZ/z5O0cm3Z3oI= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1727203448; c=relaxed/simple; bh=6IcAOQbnIDXKr2A0ZKbc2TQ+WiL9rcFfhDZ+QZYUbO4=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=LZ6+rTPiKVK9LShdevR+K/QSxbpKuNkdPU2h3LZesIpAsNjO34oTcr4CIp1rMgwhGX0MsQ5PimHsQzxY8FZqEx0ztXtijwMX5fNmbRg9AP7HdBxloHKWDU6dCilAyQc1q76QH3iwAm7J20q8ykFikXXeJJXOD6Eao2+gwpMeu1M= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--cmllamas.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=LkrjiQcY; arc=none smtp.client-ip=209.85.215.201 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--cmllamas.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="LkrjiQcY" Received: by mail-pg1-f201.google.com with SMTP id 41be03b00d2f7-72c1d0fafb3so4694567a12.2 for ; Tue, 24 Sep 2024 11:44:06 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1727203446; x=1727808246; darn=vger.kernel.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:from:to:cc:subject:date:message-id:reply-to; bh=p9nV8NJnDAA8uw9/rFdmJcfCelAbKvt9jSwnFiN7UHQ=; b=LkrjiQcYGjpRI/XXk2P4QgHq+7JazinMGwPTznY1t+cCkmee1jS3pplxHKnslKihOD vH3nodAigK4fce37x0hEmUwaTwBUI9F8mE5kYtsGJ0eXJ2xX67CoeobvtCCpL+Xi2WVE mns0q6oJZWuXUSoTOJNBQ/QgoXVDVBkV1xYBgQie2Zvo1E/Hhjq1kzrWm8NX8X5wK34W q97OthS78ZaKGlYR86rl+DZm5J/UeE6wKaqJIl/MyM7hmeWUSNXUtNvu90iMuioKQHsP xuWPKSlyOuzyY7O65Omh/+dh/LhTn805jk12HWRg39i1ZjRvvTbss7pMooRfOPnUmD/5 NnDQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1727203446; x=1727808246; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=p9nV8NJnDAA8uw9/rFdmJcfCelAbKvt9jSwnFiN7UHQ=; b=gCBmdW+979hZa8eSJGRGjpVe2D/+H70IqjUP+m1R7HzwmiWs8vvkr68P5prL3EKW8U YDr4nbdVsJHv4jmKlWOJRNtnFjZhi0lhkvqVsCUlKIZKA738R/8sPxRgA0D7kWWvIpe5 gHJcK9RtJyYdjAqygK6Xl6X1mXrjpXNX26du5LfNC+KmURescScS+bs0HFkbQOqnbdCs jvTZkx/jLOFJUa3IzhLDmWcHdP9+h/ikXuoGR6fTWmbJU01e0JHIeOWGUvm1mMUIsZGG 7KkausiWms86krbSqpwfoamUsm77w4KnIo3HB55JMU2ZWiQ+3ZC0dPHbCocxEiTCTbYB bBdg== X-Gm-Message-State: AOJu0YxON40j6GiDZHDP5/QXtiIg4h/cNY+Av5wVaJZQxs1Fbotatxqb H5XGa7ef7gzWxD0ysjDJSvwOn6GhINXrFsq/lkPuo2dbfcCdex0+yuQvyz2eLK+Ri7/9+Q/jP7R YOHmfRmHUqQ== X-Google-Smtp-Source: AGHT+IED5bbPPsmWzf1m5V5YEsxBnJHtsfLGQbUbAh1wa2CPeDYb/L6NPSsFpciX/Ya40Q/IMW/yE35PTwxa8g== X-Received: from xllamas.c.googlers.com ([fda3:e722:ac3:cc00:7f:e700:c0a8:5070]) (user=cmllamas job=sendgmr) by 2002:a17:90b:81:b0:2dd:92e5:701a with SMTP id 98e67ed59e1d1-2e06affde31mr56a91.8.1727203446127; Tue, 24 Sep 2024 11:44:06 -0700 (PDT) Date: Tue, 24 Sep 2024 18:43:53 +0000 In-Reply-To: <20240924184401.76043-1-cmllamas@google.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: <20240924184401.76043-1-cmllamas@google.com> X-Mailer: git-send-email 2.46.0.792.g87dc391469-goog Message-ID: <20240924184401.76043-2-cmllamas@google.com> Subject: [PATCH 1/4] binder: fix node UAF in binder_add_freeze_work() From: Carlos Llamas To: Greg Kroah-Hartman , "=?UTF-8?q?Arve=20Hj=C3=B8nnev=C3=A5g?=" , Todd Kjos , Martijn Coenen , Joel Fernandes , Christian Brauner , Carlos Llamas , Suren Baghdasaryan , Yu-Ting Tseng Cc: linux-kernel@vger.kernel.org, kernel-team@android.com, Alice Ryhl , stable@vger.kernel.org Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" In binder_add_freeze_work() we iterate over the proc->nodes with the proc->inner_lock held. However, this lock is temporarily dropped in order to acquire the node->lock first (lock nesting order). This can race with binder_node_release() and trigger a use-after-free: =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D BUG: KASAN: slab-use-after-free in _raw_spin_lock+0xe4/0x19c Write of size 4 at addr ffff53c04c29dd04 by task freeze/640 CPU: 5 UID: 0 PID: 640 Comm: freeze Not tainted 6.11.0-07343-ga727812a8d4= 5 #17 Hardware name: linux,dummy-virt (DT) Call trace: _raw_spin_lock+0xe4/0x19c binder_add_freeze_work+0x148/0x478 binder_ioctl+0x1e70/0x25ac __arm64_sys_ioctl+0x124/0x190 Allocated by task 637: __kmalloc_cache_noprof+0x12c/0x27c binder_new_node+0x50/0x700 binder_transaction+0x35ac/0x6f74 binder_thread_write+0xfb8/0x42a0 binder_ioctl+0x18f0/0x25ac __arm64_sys_ioctl+0x124/0x190 Freed by task 637: kfree+0xf0/0x330 binder_thread_read+0x1e88/0x3a68 binder_ioctl+0x16d8/0x25ac __arm64_sys_ioctl+0x124/0x190 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D Fix the race by taking a temporary reference on the node before releasing the proc->inner lock. This ensures the node remains alive while in use. Fixes: d579b04a52a1 ("binder: frozen notification") Cc: stable@vger.kernel.org Signed-off-by: Carlos Llamas Acked-by: Todd Kjos Reviewed-by: Alice Ryhl --- drivers/android/binder.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/drivers/android/binder.c b/drivers/android/binder.c index 978740537a1a..4d90203ea048 100644 --- a/drivers/android/binder.c +++ b/drivers/android/binder.c @@ -5552,6 +5552,7 @@ static bool binder_txns_pending_ilocked(struct binder= _proc *proc) =20 static void binder_add_freeze_work(struct binder_proc *proc, bool is_froze= n) { + struct binder_node *prev =3D NULL; struct rb_node *n; struct binder_ref *ref; =20 @@ -5560,7 +5561,10 @@ static void binder_add_freeze_work(struct binder_pro= c *proc, bool is_frozen) struct binder_node *node; =20 node =3D rb_entry(n, struct binder_node, rb_node); + binder_inc_node_tmpref_ilocked(node); binder_inner_proc_unlock(proc); + if (prev) + binder_put_node(prev); binder_node_lock(node); hlist_for_each_entry(ref, &node->refs, node_entry) { /* @@ -5586,10 +5590,13 @@ static void binder_add_freeze_work(struct binder_pr= oc *proc, bool is_frozen) } binder_inner_proc_unlock(ref->proc); } + prev =3D node; binder_node_unlock(node); binder_inner_proc_lock(proc); } binder_inner_proc_unlock(proc); + if (prev) + binder_put_node(prev); } =20 static int binder_ioctl_freeze(struct binder_freeze_info *info, --=20 2.46.0.792.g87dc391469-goog From nobody Fri Nov 29 04:52:28 2024 Received: from mail-yb1-f201.google.com (mail-yb1-f201.google.com [209.85.219.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 8DC2C1AD3EF for ; Tue, 24 Sep 2024 18:44:09 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.219.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1727203451; cv=none; b=ISBuJrqmQjWJp6x+Scx+JQGogKkbJ7haE5RK7EX7WpN1FBupudFOe+eF58Iqoe+4j3E5c30SX9y03JmZ3yiO71ov+jwmO742D6d7ElgbV8BVQSeaqwho4NUkkkhTwoEaVHRnHxfziYfMhQaCs5jnTG5ZRH0qJevKVsLXNUFc0+A= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1727203451; c=relaxed/simple; bh=UUyHqG3rcD0Ab4SuxciBNPWo8eGj+cJzd/Ppwu+p3nU=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=Et0RQ3NKeDfnHDwppD26j3Kc+Ik7nt1qhGjxG2O5GxuxXbmAg2lFPGU35LhSWYcBP3VGasIZTmv+gXT8AP6vK7sPXGLcDQq81nM0F8EmXHq6JeyrxHNZxj3Tg24oKGT8C3DggsR5Zyzdt/o18jVicViorL9YWWmGKIR3mcnxq9Q= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--cmllamas.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=jNCK/OEz; arc=none smtp.client-ip=209.85.219.201 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--cmllamas.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="jNCK/OEz" Received: by mail-yb1-f201.google.com with SMTP id 3f1490d57ef6-e1a8de19f7aso8807545276.3 for ; Tue, 24 Sep 2024 11:44:09 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1727203448; x=1727808248; darn=vger.kernel.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:from:to:cc:subject:date:message-id:reply-to; bh=mXFF096w9+eTa7nycrgDe+dtSt6FL1ltl1Hn5Oq0MR0=; b=jNCK/OEz2Jee8Ov6y1oeqbHTrGDNwyQzbzAdYnJoev27IlOW1W6lRsdUuBJ/TA9ciV 69nsTudB565xqephWbjN/MSLsRT5e18GSQ/fE3cwFuzCrGmITKiLtpRs+oKlz6JZpmJR 8O+Agzx7NxODJMn8SNaT8BtxcecfNycefWnZhrPeMkDNbAJgMDMmzlpDONEcoUxarQ/h PEUfkahtM2SwS7C+8z26NGlYwFQBv2af3bqhYboEwC3gtZ0s3m5i3MKsoEr1FfbHyOwq VKzvbV0gHvdBcMI9tsXJN+z86CYeCHUJJta44us2BxkYdAatfAV7FW6M4V2hUy2bRw+Q byTA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1727203448; x=1727808248; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=mXFF096w9+eTa7nycrgDe+dtSt6FL1ltl1Hn5Oq0MR0=; b=Pv7A5Bm8a0Eg7eEhlKMaLm+cNIzaxc6JxQ6QJdJnzQ3MV1hmq9RFJH2eO5z4chDzRw EI3M7hQf6kuFRV3xLGIAX/fEphsNJUa4282Cogw+Chz/Pdk+u2e9mOPLUiyy9B9tuZui 3GkFeeDefwMbOLIouMGoexiH/cUZgu6yzE8siRZAE2369kc9nFcFy18p6soHfHQi5QsE ACCizXYQqAfNLTsI1Y0LiqbhraZaRby4qGWA1BEbE4qr3ZrC8unyw5Mm7qQW1orDk0Tf kubJ5LQL0+q+9h6/J9LhfrELYUFFOHhjScXQJPhbzT70X6moEV1VakuB1ZyvUtiPIHGV qsKg== X-Gm-Message-State: AOJu0Yy2FcE0AgeeUjWRdkW/to6TKelCe+8xyGf5oXxs5uhsmoTqRwgM q/DjJfSAcw4OB1M5hVnijNHRwgKmvyuQuHWeGwq+xfiJG4I1gG50Lze3gdwxhL9lT+S0y+UBXOE 1yVodJoJyQQ== X-Google-Smtp-Source: AGHT+IE7TREog/VYCdRW7BmWSNJlfncdLF6ON0YLjqEPFLZxC6f6VINj+tsVFYW1XLjggy8Ip/b3i6zoUVctPA== X-Received: from xllamas.c.googlers.com ([fda3:e722:ac3:cc00:7f:e700:c0a8:5070]) (user=cmllamas job=sendgmr) by 2002:a5b:b12:0:b0:e11:5a3c:26c7 with SMTP id 3f1490d57ef6-e24d9ec1441mr63276.9.1727203448526; Tue, 24 Sep 2024 11:44:08 -0700 (PDT) Date: Tue, 24 Sep 2024 18:43:54 +0000 In-Reply-To: <20240924184401.76043-1-cmllamas@google.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: <20240924184401.76043-1-cmllamas@google.com> X-Mailer: git-send-email 2.46.0.792.g87dc391469-goog Message-ID: <20240924184401.76043-3-cmllamas@google.com> Subject: [PATCH 2/4] binder: fix OOB in binder_add_freeze_work() From: Carlos Llamas To: Greg Kroah-Hartman , "=?UTF-8?q?Arve=20Hj=C3=B8nnev=C3=A5g?=" , Todd Kjos , Martijn Coenen , Joel Fernandes , Christian Brauner , Carlos Llamas , Suren Baghdasaryan , Yu-Ting Tseng Cc: linux-kernel@vger.kernel.org, kernel-team@android.com, Alice Ryhl , stable@vger.kernel.org Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" In binder_add_freeze_work() we iterate over the proc->nodes with the proc->inner_lock held. However, this lock is temporarily dropped to acquire the node->lock first (lock nesting order). This can race with binder_deferred_release() which removes the nodes from the proc->nodes rbtree and adds them into binder_dead_nodes list. This leads to a broken iteration in binder_add_freeze_work() as rb_next() will use data from binder_dead_nodes, triggering an out-of-bounds access: =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D BUG: KASAN: global-out-of-bounds in rb_next+0xfc/0x124 Read of size 8 at addr ffffcb84285f7170 by task freeze/660 CPU: 8 UID: 0 PID: 660 Comm: freeze Not tainted 6.11.0-07343-ga727812a8d4= 5 #18 Hardware name: linux,dummy-virt (DT) Call trace: rb_next+0xfc/0x124 binder_add_freeze_work+0x344/0x534 binder_ioctl+0x1e70/0x25ac __arm64_sys_ioctl+0x124/0x190 The buggy address belongs to the variable: binder_dead_nodes+0x10/0x40 [...] =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D This is possible because proc->nodes (rbtree) and binder_dead_nodes (list) share entries in binder_node through a union: struct binder_node { [...] union { struct rb_node rb_node; struct hlist_node dead_node; }; Fix the race by checking that the proc is still alive. If not, simply break out of the iteration. Fixes: d579b04a52a1 ("binder: frozen notification") Cc: stable@vger.kernel.org Signed-off-by: Carlos Llamas Acked-by: Todd Kjos Reviewed-by: Alice Ryhl --- drivers/android/binder.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/android/binder.c b/drivers/android/binder.c index 4d90203ea048..8bca2de6fa24 100644 --- a/drivers/android/binder.c +++ b/drivers/android/binder.c @@ -5593,6 +5593,8 @@ static void binder_add_freeze_work(struct binder_proc= *proc, bool is_frozen) prev =3D node; binder_node_unlock(node); binder_inner_proc_lock(proc); + if (proc->is_dead) + break; } binder_inner_proc_unlock(proc); if (prev) --=20 2.46.0.792.g87dc391469-goog From nobody Fri Nov 29 04:52:28 2024 Received: from mail-yw1-f201.google.com (mail-yw1-f201.google.com [209.85.128.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id D92DF1AD415 for ; Tue, 24 Sep 2024 18:44:11 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1727203453; cv=none; b=fTk31mCfLf48GcgIXHB2bJXE3bhIrfkHa51CkwtlSx1SNGhY8wbAfWfBwIWV+YEw9BUZ87OqO+TL6hsRrHZ/VYsTNDp28IrnMZlVPmdldCQ85+q8l6toQU3s73F3TWpAX0T9IvKf5ma67FXs47RouTGH/Ei5rQ0qLFkvNjKO0fA= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1727203453; c=relaxed/simple; bh=HZ1COR0YGONUxe6LALXOBsTQqR3jecbdCznCpBgsKV4=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=rFY5ibkWWNL25phwaskSPFtBmUq1jtcvqPN0voOlQ4bmycmz6b3+bsBbrNMd3b/CKF4SpA9f07n8kjLvxCdAT6Zh3NaIu7Vfjj7UOQLubkgGGtkXqMPXjS2sBMLIh+l+Ba7WBtpd0Xn3zCiEpLh7dfZ+BHYSrAz6vy3hNc8iFa8= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--cmllamas.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=wybKm1ld; arc=none smtp.client-ip=209.85.128.201 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--cmllamas.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="wybKm1ld" Received: by mail-yw1-f201.google.com with SMTP id 00721157ae682-6e2146737ccso14405757b3.2 for ; Tue, 24 Sep 2024 11:44:11 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1727203451; x=1727808251; darn=vger.kernel.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:from:to:cc:subject:date:message-id:reply-to; bh=opL/u+rXDPzP8jgIWM68Kz10UL7QxmAwA+KsygDZ6JA=; b=wybKm1ldf4yJzCJhqH0kNEA+NV/mnTBqNVhZ706jT0BM0sJASAX+iBeY89/sxTECgu udmKoPJiwa5UmwGYXrQ2danBJ47N8F09djOIJ30UlbBAwUniNRi5PjwnaMjfxDo1AKiW 731+veTVkdqFs5zpoTOJRw0VIG2RaNNQ7bxH/YqYLZPihWdWtJrWXp3w5/zaz+3jbEm/ ERNDNYDjCAAC6ep9IA6OwbOidwv9NLg00mYcMqNWuL72uZLqsTL5oAHXQ8G3fZkxxzB4 omiwOYntqEobr+VcECAvAWN7WJvQkkEXVWO07uH+78yT3IJarDDhlKBmfNUNnGa9XiAD hQvg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1727203451; x=1727808251; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=opL/u+rXDPzP8jgIWM68Kz10UL7QxmAwA+KsygDZ6JA=; b=jH1yEzpJAd/Uq5S2P1jaNieByTNPvF8cE5jxFeLnInYeZStA+EUCT58TKsu99vxMNG JbvdHnpkhCkrcIT8yPD2pDm+2UOnLwWY72cn7yekrVFZTWTaNYbbeCMLIZTIw8Z99r/Y PVGH5wiTSeVDzUzWhB1M3kQM408GozQYEAkqLPUzjb2co2+lFpQvbSF6EuPk5/t2Oq8R /GfoGaFkfQx0Bs1bOI7BKt/PSUUU9O22hIlvFI/Dv2FkmdxSj9HyHesmdRSskyB+jUR0 9Cl6eYpsAFd9v7mzsuQu6f+NCOGnbYPbg4J6ZRza1ZbqSLjWeGZBZTrO/31sm41Y+U/8 azgg== X-Gm-Message-State: AOJu0YxIua9w/GmPmqRZhA0TwuzkNyiC44pBrP0AcbK2+dPnKCA/wPh9 wGFcaq6q/PBNSdaNJt69ofTsQEIHZRN+uGcUZ0qWRqQO6TlVMExu4I/YLlMvN9Jo8BDMqfjFE3C g36K8ZAjLBQ== X-Google-Smtp-Source: AGHT+IHm0uPwL+BamoIvPtwKlIEqmPJHv0+Z7rowDrFzsw5n5EgUKWZ1MOEFlvHEOZosOFgTFgCJdSpj1QLADA== X-Received: from xllamas.c.googlers.com ([fda3:e722:ac3:cc00:7f:e700:c0a8:5070]) (user=cmllamas job=sendgmr) by 2002:a05:690c:2892:b0:648:fc8a:cd23 with SMTP id 00721157ae682-6e21d6e1f34mr31987b3.2.1727203450911; Tue, 24 Sep 2024 11:44:10 -0700 (PDT) Date: Tue, 24 Sep 2024 18:43:55 +0000 In-Reply-To: <20240924184401.76043-1-cmllamas@google.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: <20240924184401.76043-1-cmllamas@google.com> X-Mailer: git-send-email 2.46.0.792.g87dc391469-goog Message-ID: <20240924184401.76043-4-cmllamas@google.com> Subject: [PATCH 3/4] binder: fix freeze UAF in binder_release_work() From: Carlos Llamas To: Greg Kroah-Hartman , "=?UTF-8?q?Arve=20Hj=C3=B8nnev=C3=A5g?=" , Todd Kjos , Martijn Coenen , Joel Fernandes , Christian Brauner , Carlos Llamas , Suren Baghdasaryan , Yu-Ting Tseng Cc: linux-kernel@vger.kernel.org, kernel-team@android.com, Alice Ryhl , stable@vger.kernel.org Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" When a binder reference is cleaned up, any freeze work queued in the associated process should also be removed. Otherwise, the reference is freed while its ref->freeze.work is still queued in proc->work leading to a use-after-free issue as shown by the following KASAN report: =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D BUG: KASAN: slab-use-after-free in binder_release_work+0x398/0x3d0 Read of size 8 at addr ffff31600ee91488 by task kworker/5:1/211 CPU: 5 UID: 0 PID: 211 Comm: kworker/5:1 Not tainted 6.11.0-rc7-00382-gfc= 6c92196396 #22 Hardware name: linux,dummy-virt (DT) Workqueue: events binder_deferred_func Call trace: binder_release_work+0x398/0x3d0 binder_deferred_func+0xb60/0x109c process_one_work+0x51c/0xbd4 worker_thread+0x608/0xee8 Allocated by task 703: __kmalloc_cache_noprof+0x130/0x280 binder_thread_write+0xdb4/0x42a0 binder_ioctl+0x18f0/0x25ac __arm64_sys_ioctl+0x124/0x190 invoke_syscall+0x6c/0x254 Freed by task 211: kfree+0xc4/0x230 binder_deferred_func+0xae8/0x109c process_one_work+0x51c/0xbd4 worker_thread+0x608/0xee8 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D This commit fixes the issue by ensuring any queued freeze work is removed when cleaning up a binder reference. Fixes: d579b04a52a1 ("binder: frozen notification") Cc: stable@vger.kernel.org Signed-off-by: Carlos Llamas Acked-by: Todd Kjos Reviewed-by: Alice Ryhl --- drivers/android/binder.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/drivers/android/binder.c b/drivers/android/binder.c index 8bca2de6fa24..d955135ee37a 100644 --- a/drivers/android/binder.c +++ b/drivers/android/binder.c @@ -1225,6 +1225,12 @@ static void binder_cleanup_ref_olocked(struct binder= _ref *ref) binder_dequeue_work(ref->proc, &ref->death->work); binder_stats_deleted(BINDER_STAT_DEATH); } + + if (ref->freeze) { + binder_dequeue_work(ref->proc, &ref->freeze->work); + binder_stats_deleted(BINDER_STAT_FREEZE); + } + binder_stats_deleted(BINDER_STAT_REF); } =20 --=20 2.46.0.792.g87dc391469-goog From nobody Fri Nov 29 04:52:28 2024 Received: from mail-pj1-f73.google.com (mail-pj1-f73.google.com [209.85.216.73]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id E32FA1AD9E2 for ; Tue, 24 Sep 2024 18:44:13 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.216.73 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1727203455; cv=none; b=bWoNkRbA4acwO2t/G2GH7aP0HOTqFXgdJItlclBPxkKTMV9H5dvtKXwosWJAfx5/IcQXLFi20ghCRIuBnqHG3F7NlZn0r2tI1rxs+SuQjyMtvxXcJD5Qh/I65Z95V7FRpf6KOeqXHwS/gyC0i49bI3BnFxVOjbqTKMBAJ9Aisc8= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1727203455; c=relaxed/simple; bh=04CSVSNbQAoz5nJrui7w9wr9IJQYbvvCjU2rJHdTZ0Q=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=MGOn8Lub3Ahr+PLAC3MzsKq2g2aAGWd7fnEY5hAnAz8nPdHdc/6PjH+6kWWJpI7+OEqhVewSRdpxwdc2vltgp/NAbhaDX+4GUoHPTe5MGqOSoXJhuo+Vw68X0dObFrga95iTsj2gNpIOiH+Nr2w1ThXGELuIb8n7ui0MPksUN+w= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--cmllamas.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=hewVFhhz; arc=none smtp.client-ip=209.85.216.73 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--cmllamas.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="hewVFhhz" Received: by mail-pj1-f73.google.com with SMTP id 98e67ed59e1d1-2d8dd20d0ddso129528a91.1 for ; Tue, 24 Sep 2024 11:44:13 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1727203453; x=1727808253; darn=vger.kernel.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:from:to:cc:subject:date:message-id:reply-to; bh=2WbeoTgd2+9GtK/0uZbn6j9cZRGaoAw7YTDGHmlJEwk=; b=hewVFhhzJ88PLDi46vxv7W2eDE0atPzfZNSfzwXmpyjbzk8RyktM70wsdIPqMUlIF2 xFV+RDvRMGUjy/W2PMArtGoSwi2emHqE6xhFMCh2VGBlRyAB4DrBQ4pXzwNQ61l9J7fz N21DqmY3qA8jPZTxeiCz7ebnzwr+xEzYB4nr2htY1zD+/CKfLaUzSo12MbqRYxJTlzUe pj48o8ppqUq9Q9awkMDaNj9gw4BCp02YtzaHtE5b0825jLT8YYkckcsfB/B65A5wBj7M XSiBiuq7gGcgis+BLeM6g/zw47AxBjBGjAi0vkJrSmgCVL3q8joBC1QZmqthoyu0clu3 fziw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1727203453; x=1727808253; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=2WbeoTgd2+9GtK/0uZbn6j9cZRGaoAw7YTDGHmlJEwk=; b=DXGfhQ1M8jt3X5HG+WgAfZqcZ6HebA5YeQr4eM57UqKQZQxNvwNm+wjzdJemZEvgoP NoZj667/C5U7lf9aE93pSHnBatf7J6EgsD98H5w/GZ5Ec/bRKHpzu+DKzyZCx6vx7nHq 8F0a7pCwIFSqjpfDo8jIPxJHirdEjULnASQAJ/lSt/ojhpm16KTHkqkjSmECV1KubQ8h 7rPh7phI1X0DW5g7vG2zrka9jEP6//dnJQon58nu+avEfConEx6nqZ7+MUOXTKu8Kofz 8eW4J4WW+L49s9NzMSpzqoKXixZ3ewTz38KK9HGhupfnhq9ukDDGFjcgX4mWjk61LnRE 01rw== X-Gm-Message-State: AOJu0YxaqPvWBqSan0pV6r/TU4oHSBmshgwtc9w1j/1hXcFti1uCNrAm CCmC7a2UcXLZ7P/lh6p0siKnjhBlxjOu6iGYANUCveHhOApwwi7xoRGJY0VmBfJ+0FYPZOGqP1S uUjSFtmr5wg== X-Google-Smtp-Source: AGHT+IHcLZagAFVZvHn7R6Bk0sNRHbmj4BNbuwjtI6JLKo9USznZI2FyUOXL0EqWX8s17YI5FdFghtjemXEFKQ== X-Received: from xllamas.c.googlers.com ([fda3:e722:ac3:cc00:7f:e700:c0a8:5070]) (user=cmllamas job=sendgmr) by 2002:a17:90b:3a8f:b0:2db:f123:60b2 with SMTP id 98e67ed59e1d1-2e06ac92ae5mr428a91.4.1727203453216; Tue, 24 Sep 2024 11:44:13 -0700 (PDT) Date: Tue, 24 Sep 2024 18:43:56 +0000 In-Reply-To: <20240924184401.76043-1-cmllamas@google.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: <20240924184401.76043-1-cmllamas@google.com> X-Mailer: git-send-email 2.46.0.792.g87dc391469-goog Message-ID: <20240924184401.76043-5-cmllamas@google.com> Subject: [PATCH 4/4] binder: fix BINDER_WORK_FROZEN_BINDER debug logs From: Carlos Llamas To: Greg Kroah-Hartman , "=?UTF-8?q?Arve=20Hj=C3=B8nnev=C3=A5g?=" , Todd Kjos , Martijn Coenen , Joel Fernandes , Christian Brauner , Carlos Llamas , Suren Baghdasaryan , Yu-Ting Tseng Cc: linux-kernel@vger.kernel.org, kernel-team@android.com, Alice Ryhl , stable@vger.kernel.org Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" The BINDER_WORK_FROZEN_BINDER type is not handled in the binder_logs entries and it shows up as "unknown work" when logged: proc 649 context binder-test thread 649: l 00 need_return 0 tr 0 ref 13: desc 1 node 8 s 1 w 0 d 0000000053c4c0c3 unknown work: type 10 This patch add the freeze work type and is now logged as such: proc 637 context binder-test thread 637: l 00 need_return 0 tr 0 ref 8: desc 1 node 3 s 1 w 0 d 00000000dc39e9c6 has frozen binder Fixes: d579b04a52a1 ("binder: frozen notification") Cc: stable@vger.kernel.org Signed-off-by: Carlos Llamas Acked-by: Todd Kjos --- drivers/android/binder.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/android/binder.c b/drivers/android/binder.c index d955135ee37a..2be9f3559ed7 100644 --- a/drivers/android/binder.c +++ b/drivers/android/binder.c @@ -6408,6 +6408,9 @@ static void print_binder_work_ilocked(struct seq_file= *m, case BINDER_WORK_CLEAR_DEATH_NOTIFICATION: seq_printf(m, "%shas cleared death notification\n", prefix); break; + case BINDER_WORK_FROZEN_BINDER: + seq_printf(m, "%shas frozen binder\n", prefix); + break; default: seq_printf(m, "%sunknown work: type %d\n", prefix, w->type); break; --=20 2.46.0.792.g87dc391469-goog