[Disco,SRU] binder: Set end of SG buffer area properly.
diff mbox series

Message ID 20191126224231.14833-2-connor.kuehl@canonical.com
State New
Headers show
Series
  • [Disco,SRU] binder: Set end of SG buffer area properly.
Related show

Commit Message

Connor Kuehl Nov. 26, 2019, 10:42 p.m. UTC
From: Martijn Coenen <maco@android.com>

CVE-2019-2214

In case the target node requests a security context, the
extra_buffers_size is increased with the size of the security context.
But, that size is not available for use by regular scatter-gather
buffers; make sure the ending of that buffer is marked correctly.

Acked-by: Todd Kjos <tkjos@google.com>
Fixes: ec74136ded79 ("binder: create node flag to request sender's security context")
Signed-off-by: Martijn Coenen <maco@android.com>
Cc: stable@vger.kernel.org # 5.1+
Link: https://lore.kernel.org/r/20190709110923.220736-1-maco@android.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
(backported from commit a56587065094fd96eb4c2b5ad65571daad32156d)
[ Connor Kuehl: there is a much larger cleanup patch that converts away
  from using pointers and pointer arithmetic to using uintptr values,
  that patch is bde4a19fc04f ("binder: use userspace pointer as base of
  buffer space"). I used that patch to create a mapping of equivalent
  variables:

    sg_bufp    => sg_buf_offset
    sg_buf_end => sg_buf_end_offset
    offp       => buffer_offset
    off_start  => off_start_offset
    off_end    => off_end_offset

  to construct an equivalent patch for this CVE without pulling in the
  other larger patch to base this on. 

@@ -3239,7 +3239,8 @@ static void binder_transaction(struct binder_proc *proc,      
    buffer_offset = off_start_offset;                                               
    off_end_offset = off_start_offset + tr->offsets_size;                           
    sg_buf_offset = ALIGN(off_end_offset, sizeof(void *));                          
-   sg_buf_end_offset = sg_buf_offset + extra_buffers_size;                         
+   sg_buf_end_offset = sg_buf_offset + extra_buffers_size -                        
+       ALIGN(secctx_sz, sizeof(u64));                                              
    off_min = 0;                                                                    
    for (buffer_offset = off_start_offset; buffer_offset < off_end_offset;          
         buffer_offset += sizeof(binder_size_t)) { ]
Signed-off-by: Connor Kuehl <connor.kuehl@canonical.com>
---
 drivers/android/binder.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

Patch
diff mbox series

diff --git a/drivers/android/binder.c b/drivers/android/binder.c
index 6369f4ffab12..507759449ea2 100644
--- a/drivers/android/binder.c
+++ b/drivers/android/binder.c
@@ -3130,7 +3130,8 @@  static void binder_transaction(struct binder_proc *proc,
 	}
 	off_end = (void *)off_start + tr->offsets_size;
 	sg_bufp = (u8 *)(PTR_ALIGN(off_end, sizeof(void *)));
-	sg_buf_end = sg_bufp + extra_buffers_size;
+	sg_buf_end = sg_bufp + extra_buffers_size -
+		ALIGN(secctx_sz, sizeof(u64));
 	off_min = 0;
 	for (; offp < off_end; offp++) {
 		struct binder_object_header *hdr;