From patchwork Tue Nov 26 22:42:31 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Connor Kuehl X-Patchwork-Id: 1201241 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.ubuntu.com (client-ip=91.189.94.19; helo=huckleberry.canonical.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=canonical.com Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 47MzSN70gHz9sS6; Wed, 27 Nov 2019 09:42:44 +1100 (AEDT) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.86_2) (envelope-from ) id 1iZjXc-0002Nc-2L; Tue, 26 Nov 2019 22:42:40 +0000 Received: from youngberry.canonical.com ([91.189.89.112]) by huckleberry.canonical.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1iZjXa-0002NN-Fb for kernel-team@lists.ubuntu.com; Tue, 26 Nov 2019 22:42:38 +0000 Received: from mail-pf1-f197.google.com ([209.85.210.197]) by youngberry.canonical.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1iZjXa-0001TM-65 for kernel-team@lists.ubuntu.com; Tue, 26 Nov 2019 22:42:38 +0000 Received: by mail-pf1-f197.google.com with SMTP id f20so12773465pfn.19 for ; Tue, 26 Nov 2019 14:42:38 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=EUJbuhoDPPC74FFdwDWNah85cS//XcPojJcaFgQW/lM=; b=djLw+MzurZdgI7VUyTMTqpXQ7Og5uNI9MGrnwZ3VrSumBYqzv0nfln5F/jMN+mgXgE W1D7KhuC1+DWaG0TV1vlk7891F472SJ4Zg98lmpmv0/oqzRDFd0Uw+QDyRUc4NgVQRFY ksqCINVodTURQZQSoLpIIKNDkqWnbNyAC87uAvzBJ/T4g/0K3YKiOrP8RdUErwQtrJSw tQ+l5ffSWPeoN8QxvlYwHX4VcccfDMTyubJcP/9IKXmPSHsG5/sVxOakF6FqcQx0SZn5 NTnX6AYpwQtFfAU/Yfqz+gBQ21T4hSzCLhYRhqUIKAUYVdipCvXeU81qTARHindT+8jn sfGA== X-Gm-Message-State: APjAAAVaRAjdjOcxK2uVyrM7z3EDrDKANBMjVlVS4EPZTVsJrdE3FxIz Ebj7DpHaqozGavs5yfJcadO92zREFtVJtnIGOQhqmepj6uOkxoUtRL6/QKKQf3PZhKPbmanM50b KXcrKk1ciGuioWwYn8Gup6X/ZbI7C2SCyIY6VjYVq4A== X-Received: by 2002:a17:90a:9741:: with SMTP id i1mr1980926pjw.2.1574808156253; Tue, 26 Nov 2019 14:42:36 -0800 (PST) X-Google-Smtp-Source: APXvYqwzAew/Bqn9ScWlHB3YFKc4UVbbbDWI9W+Lff8F9KWm8enC2sSeAzcUtUurP2sGYUJZ+c/KAA== X-Received: by 2002:a17:90a:9741:: with SMTP id i1mr1980907pjw.2.1574808156022; Tue, 26 Nov 2019 14:42:36 -0800 (PST) Received: from localhost.localdomain (c-71-63-171-240.hsd1.or.comcast.net. [71.63.171.240]) by smtp.gmail.com with ESMTPSA id z30sm2672673pff.131.2019.11.26.14.42.34 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 26 Nov 2019 14:42:34 -0800 (PST) From: Connor Kuehl To: kernel-team@lists.ubuntu.com Subject: [Disco][SRU][PATCH] binder: Set end of SG buffer area properly. Date: Tue, 26 Nov 2019 14:42:31 -0800 Message-Id: <20191126224231.14833-2-connor.kuehl@canonical.com> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20191126224231.14833-1-connor.kuehl@canonical.com> References: <20191126224231.14833-1-connor.kuehl@canonical.com> X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: Martijn Coenen CVE-2019-2214 In case the target node requests a security context, the extra_buffers_size is increased with the size of the security context. But, that size is not available for use by regular scatter-gather buffers; make sure the ending of that buffer is marked correctly. Acked-by: Todd Kjos Fixes: ec74136ded79 ("binder: create node flag to request sender's security context") Signed-off-by: Martijn Coenen Cc: stable@vger.kernel.org # 5.1+ Link: https://lore.kernel.org/r/20190709110923.220736-1-maco@android.com Signed-off-by: Greg Kroah-Hartman (backported from commit a56587065094fd96eb4c2b5ad65571daad32156d) [ Connor Kuehl: there is a much larger cleanup patch that converts away from using pointers and pointer arithmetic to using uintptr values, that patch is bde4a19fc04f ("binder: use userspace pointer as base of buffer space"). I used that patch to create a mapping of equivalent variables: sg_bufp => sg_buf_offset sg_buf_end => sg_buf_end_offset offp => buffer_offset off_start => off_start_offset off_end => off_end_offset to construct an equivalent patch for this CVE without pulling in the other larger patch to base this on. @@ -3239,7 +3239,8 @@ static void binder_transaction(struct binder_proc *proc, buffer_offset = off_start_offset; off_end_offset = off_start_offset + tr->offsets_size; sg_buf_offset = ALIGN(off_end_offset, sizeof(void *)); - sg_buf_end_offset = sg_buf_offset + extra_buffers_size; + sg_buf_end_offset = sg_buf_offset + extra_buffers_size - + ALIGN(secctx_sz, sizeof(u64)); off_min = 0; for (buffer_offset = off_start_offset; buffer_offset < off_end_offset; buffer_offset += sizeof(binder_size_t)) { ] Signed-off-by: Connor Kuehl --- drivers/android/binder.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/android/binder.c b/drivers/android/binder.c index 6369f4ffab12..507759449ea2 100644 --- a/drivers/android/binder.c +++ b/drivers/android/binder.c @@ -3130,7 +3130,8 @@ static void binder_transaction(struct binder_proc *proc, } off_end = (void *)off_start + tr->offsets_size; sg_bufp = (u8 *)(PTR_ALIGN(off_end, sizeof(void *))); - sg_buf_end = sg_bufp + extra_buffers_size; + sg_buf_end = sg_bufp + extra_buffers_size - + ALIGN(secctx_sz, sizeof(u64)); off_min = 0; for (; offp < off_end; offp++) { struct binder_object_header *hdr;