From nobody Mon Jun  8 08:35:57 2026
Received: from mx0a-00082601.pphosted.com (mx0a-00082601.pphosted.com
 [67.231.145.42])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 7510137D137
	for <linux-kernel@vger.kernel.org>; Wed,  3 Jun 2026 17:45:42 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=67.231.145.42
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1780508745; cv=none;
 b=ZU+iz9TgofIK4/sFFHq2DZFUgYsusyEXyedmuhcQDfnBRihhTE9Ll3ENsC2Ym6EcDHSLhK17l0o9oQFmRQTLHCYl3BK5+Ru1CUnSfN+stJB9qUnuSe/XUKQ/yYZue31PXcMjpUkVn55koRuD5yMttw1kEsnU0TB7ngxzi5b4/Dw=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1780508745; c=relaxed/simple;
	bh=p0CW2O8RFYDK3cWTrl5WaZGugcZ1MXeYvIFp0/jDIDw=;
	h=From:To:CC:Subject:Date:Message-ID:MIME-Version:Content-Type;
 b=MnByP5nzWZi7mLDPq/DxkmLkIb3pviwdYZH/tSmG4kdkP7uWocssHXcjbx1FIOd/pI5T2Jwkwax7N02HVXsnxF5QGzPp9zOAS2gBwljEwPQsyyJ6Rb2vpGGsO/l39jbRJA+JIBAOWcwxp/4RWo5K/b8H0v/l954WavOj7kRHeqU=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=meta.com;
 spf=pass smtp.mailfrom=meta.com;
 dkim=pass (2048-bit key) header.d=meta.com header.i=@meta.com
 header.b=fArZ5vTb; arc=none smtp.client-ip=67.231.145.42
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=meta.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=meta.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=meta.com header.i=@meta.com
 header.b="fArZ5vTb"
Received: from pps.filterd (m0109334.ppops.net [127.0.0.1])
	by mx0a-00082601.pphosted.com (8.18.1.11/8.18.1.11) with ESMTP id
 653H4nnw2301744;
	Wed, 3 Jun 2026 10:45:33 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=meta.com; h=cc
	:content-transfer-encoding:content-type:date:from:message-id
	:mime-version:subject:to; s=s2048-2025-q2; bh=Or0GmAeeG1B8BBpQI2
	SupNTa4d0D729aMvWFvP42q8U=; b=fArZ5vTbrWb41IC1hqS43kvYDnuxmEqTNY
	8sZMt3HG8LW3qv0ZRlG8SD9GD9urKeAydnpPHqpN8QVMQrAVhQekiZr8j8e1gA01
	bX8BpnrPAn23AcEDpKjDgISlLfFTbqahOx3/gNhtAzja1e8A+JnbG2VB7uH967t/
	/aHp5Bg7ilbETL15riZfH0x/SEnJMvflovLFXszf+rYj1eYZrl0uzBAP4VmMhgyA
	slHoJcoUmfzyImh9UNLlSY7QUrYtQh+nc6O8KqhrJ10wXSI0XJFdeX4BdUQoH4nd
	8JrEtits3Y4TSe+KJ1BwWFadgFI6NGTuX7slRyYxNIR6oldMwAiw==
Received: from maileast.thefacebook.com ([163.114.135.16])
	by mx0a-00082601.pphosted.com (PPS) with ESMTPS id 4ej0d1s8ra-1
	(version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT);
	Wed, 03 Jun 2026 10:45:33 -0700 (PDT)
Received: from devbig011.atn7.facebook.com (2620:10d:c0a8:fe::f072) by
 mail.thefacebook.com (2620:10d:c0a9:6f::237c) with Microsoft SMTP Server
 (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id
 15.2.2562.41; Wed, 3 Jun 2026 17:45:19 +0000
From: Chris Mason <clm@meta.com>
To: <gregkh@linuxfoundation.org>, <christian@brauner.io>,
        <aliceryhl@google.com>, <cmllamas@google.com>, <arve@android.com>,
        <tkjos@android.com>, <casey@schaufler-ca.com>
CC: <linux-kernel@vger.kernel.org>
Subject: [PATCH] binder: cache secctx size before release zeroes it
Date: Wed, 3 Jun 2026 10:44:54 -0700
Message-ID: <20260603174506.1957278-1-clm@meta.com>
X-Mailer: git-send-email 2.52.0
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
X-Proofpoint-ORIG-GUID: KyCpZlri-HJZVH26tteXMsylapHGQKQx
X-Authority-Analysis: v=2.4 cv=Y/7IdBeN c=1 sm=1 tr=0 ts=6a20683d cx=c_pps
 a=MfjaFnPeirRr97d5FC5oHw==:117 a=MfjaFnPeirRr97d5FC5oHw==:17
 a=FelO9ux0wxsA:10 a=VkNPw1HP01LnGYTKEx00:22 a=7x6HtfJdh03M6CCDgxCd:22
 a=crHB47gyY4rKiduisYu9:22 a=VwQbUJbxAAAA:8 a=VabnemYjAAAA:8
 a=DgaABKgOLk84zS5u9x0A:9 a=gKebqoRLp9LExxC7YDUY:22
X-Proofpoint-GUID: KyCpZlri-HJZVH26tteXMsylapHGQKQx
X-Proofpoint-Spam-Details-Enc: AW1haW4tMjYwNjAzMDE3MiBTYWx0ZWRfX6KJXAyXlrVOY
 bLOQ8OYX+NXRGayz6lfiax5hUahNYGReX8XB6XX5Bf3Stse5+4tjLELMPZSeE0AOZbLDu9q4QGp
 YzHbZviAbX8+VFTjVwv4ef64GWo5dUIkVh4OVE1mmWN6A6/3fj2OC3mjJaVLl6EacS1DXtfyt2f
 +Dp6d5gUTXojq38ppvgu3Wqv5Kn5xcvpPn/O0WQKfPERCRNVxIzMw7erbgYEyK8GHx5c7ofZFYL
 f4vu27ps4tG73ONtqmn6l1u971mYSYjjCYnB1aOaMRfNw7zx28irI8+iXJ378QRmdOREXFK2o8D
 Xb7ONZuVYwOnQIiM4nfDtgKXR+12TYGGxxuTSpDXrj3CFQypKL4SxRR0EItTr1yRzJ9VY8CsOrf
 BNWtcRj/oXnwbH85mBmOk2mdj2UWsWMrrge42rlRF/Yu8+ZQT51hUN4eo5Vv3Wi7bQDQvlmNoeo
 ngT9UUBdc7Z+nCeWKuA==
X-Proofpoint-Virus-Version: vendor=baseguard
 engine=ICAP:2.0.293,Aquarius:18.0.1143,Hydra:6.1.125,FMLib:17.12.100.49
 definitions=2026-06-03_05,2026-05-28_03,2025-10-01_01
Content-Type: text/plain; charset="utf-8"

binder_transaction() bounds the scatter-gather buffer area with
sg_buf_end_offset and subtracts the aligned LSM context size because
the secctx is written at the tail of that area.  The subtraction reads
lsmctx.len, but that field has already been cleared by the time the
line runs:

    security_secid_to_secctx(secid, &lsmctx)   /* lsmctx.len set */
    lsmctx_aligned_size =3D ALIGN(lsmctx.len, sizeof(u64))
    extra_buffers_size +=3D lsmctx_aligned_size
    ...
    security_release_secctx(&lsmctx)            /* memset zeroes len */
    ...
    sg_buf_end_offset =3D sg_buf_offset + extra_buffers_size
                        - ALIGN(lsmctx.len, sizeof(u64)) /* ALIGN(0,8) */

security_release_secctx() does memset(cp, 0, sizeof(*cp)), so lsmctx.len
reads back as 0 and the subtraction contributes nothing, leaving
sg_buf_end_offset too large by the aligned secctx size on every
transaction to a txn_security_ctx node.

Each BINDER_TYPE_PTR object then derives buf_left =3D sg_buf_end_offset -
sg_buf_offset as the sole upper bound on its copy, so the inflated end
offset lets the copy run into the bytes that already hold the secctx.

The aligned size must therefore be cached before release rather than
re-read from the now-cleared field.  Fix by caching it in
lsmctx_aligned_size at function scope when it is first computed and
subtracting lsmctx_aligned_size instead of re-reading lsmctx.len after
release.  Reuse the same value for the earlier buf_offset computation.

Fixes: 6fba89813ccf ("lsm: ensure the correct LSM context releaser")
Cc: stable@vger.kernel.org
Assisted-by: kres:claude-opus-4-8
Signed-off-by: Chris Mason <clm@meta.com>
Acked-by: Carlos Llamas <cmllamas@google.com>
Reviewed-by: Alice Ryhl <aliceryhl@google.com>
---
 drivers/android/binder.c | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/drivers/android/binder.c b/drivers/android/binder.c
index 9e6194224593..9b4771c1e943 100644
--- a/drivers/android/binder.c
+++ b/drivers/android/binder.c
@@ -3080,6 +3080,7 @@ static void binder_transaction(struct binder_proc *pr=
oc,
 	int t_debug_id =3D atomic_inc_return(&binder_last_id);
 	ktime_t t_start_time =3D ktime_get();
 	struct lsm_context lsmctx =3D { };
+	size_t lsmctx_aligned_size =3D 0;
 	struct list_head sgc_head;
 	struct list_head pf_head;
 	const void __user *user_buffer =3D (const void __user *)
@@ -3348,7 +3349,6 @@ static void binder_transaction(struct binder_proc *pr=
oc,
=20
 	if (target_node && target_node->txn_security_ctx) {
 		u32 secid;
-		size_t added_size;
=20
 		security_cred_getsecid(proc->cred, &secid);
 		ret =3D security_secid_to_secctx(secid, &lsmctx);
@@ -3360,9 +3360,9 @@ static void binder_transaction(struct binder_proc *pr=
oc,
 			return_error_line =3D __LINE__;
 			goto err_get_secctx_failed;
 		}
-		added_size =3D ALIGN(lsmctx.len, sizeof(u64));
-		extra_buffers_size +=3D added_size;
-		if (extra_buffers_size < added_size) {
+		lsmctx_aligned_size =3D ALIGN(lsmctx.len, sizeof(u64));
+		extra_buffers_size +=3D lsmctx_aligned_size;
+		if (extra_buffers_size < lsmctx_aligned_size) {
 			binder_txn_error("%d:%d integer overflow of extra_buffers_size\n",
 				thread->pid, proc->pid);
 			return_error =3D BR_FAILED_REPLY;
@@ -3399,7 +3399,7 @@ static void binder_transaction(struct binder_proc *pr=
oc,
 		size_t buf_offset =3D ALIGN(tr->data_size, sizeof(void *)) +
 				    ALIGN(tr->offsets_size, sizeof(void *)) +
 				    ALIGN(extra_buffers_size, sizeof(void *)) -
-				    ALIGN(lsmctx.len, sizeof(u64));
+				    lsmctx_aligned_size;
=20
 		t->security_ctx =3D t->buffer->user_data + buf_offset;
 		err =3D binder_alloc_copy_to_buffer(&target_proc->alloc,
@@ -3454,7 +3454,7 @@ static void binder_transaction(struct binder_proc *pr=
oc,
 	off_end_offset =3D off_start_offset + tr->offsets_size;
 	sg_buf_offset =3D ALIGN(off_end_offset, sizeof(void *));
 	sg_buf_end_offset =3D sg_buf_offset + extra_buffers_size -
-		ALIGN(lsmctx.len, sizeof(u64));
+		lsmctx_aligned_size;
 	off_min =3D 0;
 	for (buffer_offset =3D off_start_offset; buffer_offset < off_end_offset;
 	     buffer_offset +=3D sizeof(binder_size_t)) {
--=20
2.52.0