Message ID | 20190926191447.13750-2-connor.kuehl@canonical.com |
---|---|
State | New |
Headers | show |
Series | [Disco,SRU,CVE-2019-2181] binder: check for overflow when alloc for security context | expand |
On 26.09.19 21:14, Connor Kuehl wrote: > From: Todd Kjos <tkjos@android.com> > > CVE-2019-2181 > > When allocating space in the target buffer for the security context, > make sure the extra_buffers_size doesn't overflow. This can only > happen if the given size is invalid, but an overflow can turn it > into a valid size. Fail the transaction if an overflow is detected. > > Signed-off-by: Todd Kjos <tkjos@google.com> > Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> > (cherry picked from commit 0b0509508beff65c1d50541861bc0d4973487dc5) > Signed-off-by: Connor Kuehl <connor.kuehl@canonical.com> Clean cherry-pick. Acked-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com> > --- > drivers/android/binder.c | 12 +++++++++++- > 1 file changed, 11 insertions(+), 1 deletion(-) > > diff --git a/drivers/android/binder.c b/drivers/android/binder.c > index c620bf826f9c..d558e6ccbc1b 100644 > --- a/drivers/android/binder.c > +++ b/drivers/android/binder.c > @@ -3039,6 +3039,7 @@ static void binder_transaction(struct binder_proc *proc, > > if (target_node && target_node->txn_security_ctx) { > u32 secid; > + size_t added_size; > > security_task_getsecid(proc->tsk, &secid); > ret = security_secid_to_secctx(secid, &secctx, &secctx_sz); > @@ -3048,7 +3049,15 @@ static void binder_transaction(struct binder_proc *proc, > return_error_line = __LINE__; > goto err_get_secctx_failed; > } > - extra_buffers_size += ALIGN(secctx_sz, sizeof(u64)); > + added_size = ALIGN(secctx_sz, sizeof(u64)); > + extra_buffers_size += added_size; > + if (extra_buffers_size < added_size) { > + /* integer overflow of extra_buffers_size */ > + return_error = BR_FAILED_REPLY; > + return_error_param = EINVAL; > + return_error_line = __LINE__; > + goto err_bad_extra_size; > + } > } > > trace_binder_transaction(reply, t, target_node); > @@ -3349,6 +3358,7 @@ static void binder_transaction(struct binder_proc *proc, > t->buffer->transaction = NULL; > binder_alloc_free_buf(&target_proc->alloc, t->buffer); > err_binder_alloc_buf_failed: > +err_bad_extra_size: > if (secctx) > security_release_secctx(secctx, secctx_sz); > err_get_secctx_failed: >
On 2019-09-26 12:14:47, Connor Kuehl wrote: > From: Todd Kjos <tkjos@android.com> > > CVE-2019-2181 > > When allocating space in the target buffer for the security context, > make sure the extra_buffers_size doesn't overflow. This can only > happen if the given size is invalid, but an overflow can turn it > into a valid size. Fail the transaction if an overflow is detected. > > Signed-off-by: Todd Kjos <tkjos@google.com> > Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> > (cherry picked from commit 0b0509508beff65c1d50541861bc0d4973487dc5) > Signed-off-by: Connor Kuehl <connor.kuehl@canonical.com> Acked-by: Tyler Hicks <tyhicks@canonical.com> Tyler > --- > drivers/android/binder.c | 12 +++++++++++- > 1 file changed, 11 insertions(+), 1 deletion(-) > > diff --git a/drivers/android/binder.c b/drivers/android/binder.c > index c620bf826f9c..d558e6ccbc1b 100644 > --- a/drivers/android/binder.c > +++ b/drivers/android/binder.c > @@ -3039,6 +3039,7 @@ static void binder_transaction(struct binder_proc *proc, > > if (target_node && target_node->txn_security_ctx) { > u32 secid; > + size_t added_size; > > security_task_getsecid(proc->tsk, &secid); > ret = security_secid_to_secctx(secid, &secctx, &secctx_sz); > @@ -3048,7 +3049,15 @@ static void binder_transaction(struct binder_proc *proc, > return_error_line = __LINE__; > goto err_get_secctx_failed; > } > - extra_buffers_size += ALIGN(secctx_sz, sizeof(u64)); > + added_size = ALIGN(secctx_sz, sizeof(u64)); > + extra_buffers_size += added_size; > + if (extra_buffers_size < added_size) { > + /* integer overflow of extra_buffers_size */ > + return_error = BR_FAILED_REPLY; > + return_error_param = EINVAL; > + return_error_line = __LINE__; > + goto err_bad_extra_size; > + } > } > > trace_binder_transaction(reply, t, target_node); > @@ -3349,6 +3358,7 @@ static void binder_transaction(struct binder_proc *proc, > t->buffer->transaction = NULL; > binder_alloc_free_buf(&target_proc->alloc, t->buffer); > err_binder_alloc_buf_failed: > +err_bad_extra_size: > if (secctx) > security_release_secctx(secctx, secctx_sz); > err_get_secctx_failed: > -- > 2.17.1 > > > -- > kernel-team mailing list > kernel-team@lists.ubuntu.com > https://lists.ubuntu.com/mailman/listinfo/kernel-team
diff --git a/drivers/android/binder.c b/drivers/android/binder.c index c620bf826f9c..d558e6ccbc1b 100644 --- a/drivers/android/binder.c +++ b/drivers/android/binder.c @@ -3039,6 +3039,7 @@ static void binder_transaction(struct binder_proc *proc, if (target_node && target_node->txn_security_ctx) { u32 secid; + size_t added_size; security_task_getsecid(proc->tsk, &secid); ret = security_secid_to_secctx(secid, &secctx, &secctx_sz); @@ -3048,7 +3049,15 @@ static void binder_transaction(struct binder_proc *proc, return_error_line = __LINE__; goto err_get_secctx_failed; } - extra_buffers_size += ALIGN(secctx_sz, sizeof(u64)); + added_size = ALIGN(secctx_sz, sizeof(u64)); + extra_buffers_size += added_size; + if (extra_buffers_size < added_size) { + /* integer overflow of extra_buffers_size */ + return_error = BR_FAILED_REPLY; + return_error_param = EINVAL; + return_error_line = __LINE__; + goto err_bad_extra_size; + } } trace_binder_transaction(reply, t, target_node); @@ -3349,6 +3358,7 @@ static void binder_transaction(struct binder_proc *proc, t->buffer->transaction = NULL; binder_alloc_free_buf(&target_proc->alloc, t->buffer); err_binder_alloc_buf_failed: +err_bad_extra_size: if (secctx) security_release_secctx(secctx, secctx_sz); err_get_secctx_failed: