linux/drivers
Todd Kjos d35d3660e0 binder: fix null deref of proc->context
The binder driver makes the assumption proc->context pointer is invariant after
initialization (as documented in the kerneldoc header for struct proc).
However, in commit f0fe2c0f05 ("binder: prevent UAF for binderfs devices II")
proc->context is set to NULL during binder_deferred_release().

Another proc was in the middle of setting up a transaction to the dying
process and crashed on a NULL pointer deref on "context" which is a local
set to &proc->context:

    new_ref->data.desc = (node == context->binder_context_mgr_node) ? 0 : 1;

Here's the stack:

[ 5237.855435] Call trace:
[ 5237.855441] binder_get_ref_for_node_olocked+0x100/0x2ec
[ 5237.855446] binder_inc_ref_for_node+0x140/0x280
[ 5237.855451] binder_translate_binder+0x1d0/0x388
[ 5237.855456] binder_transaction+0x2228/0x3730
[ 5237.855461] binder_thread_write+0x640/0x25bc
[ 5237.855466] binder_ioctl_write_read+0xb0/0x464
[ 5237.855471] binder_ioctl+0x30c/0x96c
[ 5237.855477] do_vfs_ioctl+0x3e0/0x700
[ 5237.855482] __arm64_sys_ioctl+0x78/0xa4
[ 5237.855488] el0_svc_common+0xb4/0x194
[ 5237.855493] el0_svc_handler+0x74/0x98
[ 5237.855497] el0_svc+0x8/0xc

The fix is to move the kfree of the binder_device to binder_free_proc()
so the binder_device is freed when we know there are no references
remaining on the binder_proc.

Fixes: f0fe2c0f05 ("binder: prevent UAF for binderfs devices II")
Acked-by: Christian Brauner <christian.brauner@ubuntu.com>
Signed-off-by: Todd Kjos <tkjos@google.com>
Cc: stable <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20200622200715.114382-1-tkjos@google.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2020-06-23 07:54:46 +02:00
..
accessibility treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
acpi libnvdimm for 5.8 2020-06-13 13:04:36 -07:00
amba ARM: tegra: Replace zero-length array with flexible-array 2020-06-15 23:08:28 -05:00
android binder: fix null deref of proc->context 2020-06-23 07:54:46 +02:00
ata libata-5.8-2020-06-19 2020-06-19 13:09:40 -07:00
atm treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
auxdisplay treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
base linux-kselftest-kunit-5.8-rc1 2020-06-09 10:04:47 -07:00
bcma
block block-5.8-2020-06-19 2020-06-19 13:11:26 -07:00
bluetooth Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next 2020-06-03 16:27:18 -07:00
bus Char/Misc driver patches for 5.8-rc1 2020-06-07 10:59:32 -07:00
cdrom Merge branch 'work.sysctl' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs 2020-06-10 16:05:54 -07:00
char Merge branch 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6 2020-06-21 10:01:03 -07:00
clk treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
clocksource clocksource/drivers/timer-riscv: Use per-CPU timer interrupt 2020-06-09 19:11:22 -07:00
connector treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
counter
cpufreq treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
cpuidle - Add the hwmon support on the i.MX SC (Anson Huang) 2020-06-12 14:10:21 -07:00
crypto Merge branch 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6 2020-06-21 10:01:03 -07:00
dax device-dax: add memory via add_memory_driver_managed() 2020-06-04 19:06:23 -07:00
dca
devfreq
dio maccess: rename probe_kernel_{read,write} to copy_{from,to}_kernel_nofault 2020-06-17 10:57:41 -07:00
dma dmaengine: tegra-apb: Replace zero-length array with flexible-array 2020-06-15 23:08:32 -05:00
dma-buf treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
edac Kbuild updates for v5.8 (2nd) 2020-06-13 13:29:16 -07:00
eisa treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
extcon
firewire firewire: ohci: Replace zero-length array with flexible-array 2020-06-15 23:08:31 -05:00
firmware firmware: pcdp: Replace zero-length array with flexible-array 2020-06-15 23:08:32 -05:00
fpga Char/Misc driver patches for 5.8-rc1 2020-06-07 10:59:32 -07:00
fsi treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
gnss treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
gpio treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
gpu Merge branch 'i2c/for-current' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux 2020-06-20 19:18:27 -07:00
greybus treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
hid treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
hsi treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
hv hyperv-next for 5.8 2020-06-03 15:00:05 -07:00
hwmon Merge branch 'x86/entry' into ras/core 2020-06-11 15:17:57 +02:00
hwspinlock
hwtracing stm class: Replace zero-length array with flexible-array 2020-06-15 23:08:32 -05:00
i2c i2c: smbus: Fix spelling mistake in the comments 2020-06-19 10:09:16 +02:00
i3c
ide treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
idle
iio treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
infiniband treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
input maccess: rename probe_kernel_{read,write} to copy_{from,to}_kernel_nofault 2020-06-17 10:57:41 -07:00
interconnect More power management updates for 5.8-rc1 2020-06-10 14:04:39 -07:00
iommu Kbuild updates for v5.8 (2nd) 2020-06-13 13:29:16 -07:00
ipack treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
irqchip clocksource/drivers/timer-riscv: Use per-CPU timer interrupt 2020-06-09 19:11:22 -07:00
isdn treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
leds LEDs pull request for 5.8-rc1. 2020-06-04 11:03:45 -07:00
lightnvm for-5.8/block-2020-06-01 2020-06-02 15:29:19 -07:00
macintosh treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
mailbox mailbox: qcom: Add ipq6018 apcs compatible 2020-06-10 22:43:57 -05:00
mcb
md bcache: pr_info() format clean up in bcache_device_init() 2020-06-14 16:47:56 -06:00
media media: pwc: Replace zero-length array with flexible-array 2020-06-15 23:08:32 -05:00
memory
memstick
message treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
mfd mfd: mt6360: Fix register driver NULL pointer by adding driver name 2020-06-16 09:32:43 +01:00
misc maccess: rename probe_kernel_{read,write} to copy_{from,to}_kernel_nofault 2020-06-17 10:57:41 -07:00
mmc treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
most
mtd This pull request contains a single change for UBI: 2020-06-10 13:24:40 -07:00
mux
net Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2020-06-16 17:44:54 -07:00
nfc treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
ntb NTB: perf: Fix race condition when run with ntb_test 2020-06-05 20:02:09 -04:00
nubus
nvdimm nvdimm/region: always show the 'align' attribute 2020-06-17 14:08:31 -07:00
nvme Kbuild updates for v5.8 (2nd) 2020-06-13 13:29:16 -07:00
nvmem
of Driver core patches for 5.8-rc1 2020-06-07 10:53:36 -07:00
opp treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
oprofile oprofile: Replace zero-length array with flexible-array 2020-06-15 23:08:32 -05:00
parisc
parport treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
pci Kbuild updates for v5.8 (2nd) 2020-06-13 13:29:16 -07:00
pcmcia treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
perf arm64 merge window fixes for -rc1 2020-06-11 12:53:23 -07:00
phy phy: samsung: Replace zero-length array with flexible-array 2020-06-15 23:08:32 -05:00
pinctrl pinctrl: single: fix function name in documentation 2020-06-20 22:41:32 +02:00
platform Kbuild updates for v5.8 (2nd) 2020-06-13 13:29:16 -07:00
pnp treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
power power supply and reset changes for the v5.8 series 2020-06-10 11:28:35 -07:00
powercap Kbuild updates for v5.8 (2nd) 2020-06-13 13:29:16 -07:00
pps treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
ps3
ptp treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
pwm pwm: Add missing "CONFIG_" prefix 2020-06-04 19:09:28 +02:00
rapidio rapidio: Replace zero-length array with flexible-array 2020-06-15 23:08:32 -05:00
ras
regulator Merge remote-tracking branch 'regulator/for-5.8' into regulator-linus 2020-06-01 13:01:44 +01:00
remoteproc remoteproc updates for v5.8 2020-06-08 13:01:08 -07:00
reset Char/Misc driver patches for 5.8-rc1 2020-06-07 10:59:32 -07:00
rpmsg remoteproc updates for v5.8 2020-06-08 13:01:08 -07:00
rtc RTC for 5.8 2020-06-07 16:11:23 -07:00
s390 s390/qdio: warn about unexpected SLSB states 2020-06-17 23:05:05 +02:00
sbus treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
scsi scsi: Wire up ata_scsi_dma_need_drain for SAS HBA drivers 2020-06-15 23:40:43 -04:00
sfi treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
sh
siox
slimbus
soc soc: ti: Replace zero-length array with flexible-array 2020-06-15 23:08:32 -05:00
soundwire
spi Char/Misc driver patches for 5.8-rc1 2020-06-07 10:59:32 -07:00
spmi
ssb
staging Kbuild updates for v5.8 (2nd) 2020-06-13 13:29:16 -07:00
target Kbuild updates for v5.8 (2nd) 2020-06-13 13:29:16 -07:00
tc
tee mmap locking API: use coccinelle to convert mmap_sem rwsem call sites 2020-06-09 09:39:14 -07:00
thermal - Add the hwmon support on the i.MX SC (Anson Huang) 2020-06-12 14:10:21 -07:00
thunderbolt USB/PHY driver updates for 5.8-rc1 2020-06-07 09:42:16 -07:00
tty treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
uio
usb Kbuild updates for v5.8 (2nd) 2020-06-13 13:29:16 -07:00
vdpa ifcvf: implement config interrupt in IFCVF 2020-06-06 16:26:47 -04:00
vfio kernel: better document the use_mm/unuse_mm API contract 2020-06-10 19:14:18 -07:00
vhost Kbuild updates for v5.8 (2nd) 2020-06-13 13:29:16 -07:00
video Merge branch 'i2c/for-current' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux 2020-06-20 19:18:27 -07:00
virt treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
virtio treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
visorbus treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
vlynq
vme treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
w1 w1: Replace zero-length array with flexible-array 2020-06-15 23:08:32 -05:00
watchdog treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
xen The X86 entry, exception and interrupt code rework 2020-06-13 10:05:47 -07:00
zorro treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
Kconfig
Makefile