bianbu-repo-mirror/bianbu-linux-6.6
1
0
Fork 0
mirror of https://gitee.com/bianbu-linux/linux-6.6 synced 2025-04-24 14:07:52 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

binder: protect against two threads freeing buffer

Browse source 
Adds protection against malicious user code freeing
the same buffer at the same time which could cause
a crash. Cannot happen under normal use.

Signed-off-by: Todd Kjos <tkjos@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
This commit is contained in:
Todd Kjos 2017-06-29 12:01:51 -07:00 committed by Greg Kroah-Hartman
parent e4cffcf4bf
commit 53d311cfa1
3 changed files with 23 additions and 10 deletions
Download patch file Download diff file Expand all files Collapse all files

22
drivers/android/binder_alloc.c
View file

@ -116,7 +116,7 @@ static void binder_insert_allocated_buffer_locked(
rb_insert_color(&new_buffer->rb_node, &alloc->allocated_buffers);
}
static struct binder_buffer *binder_alloc_buffer_lookup_locked(
static struct binder_buffer *binder_alloc_prepare_to_free_locked(
struct binder_alloc *alloc,
uintptr_t user_ptr)
{
@ -135,8 +135,19 @@ static struct binder_buffer *binder_alloc_buffer_lookup_locked(
n = n->rb_left;
else if (kern_ptr > buffer)
n = n->rb_right;
else
else {
/*
* Guard against user threads attempting to
* free the buffer twice
*/
if (buffer->free_in_progress) {
pr_err("%d:%d FREE_BUFFER u%016llx user freed buffer twice\n",
alloc->pid, current->pid, (u64)user_ptr);
return NULL;
}
buffer->free_in_progress = 1;
return buffer;
}
}
return NULL;
}
@ -152,13 +163,13 @@ static struct binder_buffer *binder_alloc_buffer_lookup_locked(
*
* Return: Pointer to buffer or NULL
*/
struct binder_buffer *binder_alloc_buffer_lookup(struct binder_alloc *alloc,
uintptr_t user_ptr)
struct binder_buffer *binder_alloc_prepare_to_free(struct binder_alloc *alloc,
uintptr_t user_ptr)
{
struct binder_buffer *buffer;
mutex_lock(&alloc->mutex);
buffer = binder_alloc_buffer_lookup_locked(alloc, user_ptr);
buffer = binder_alloc_prepare_to_free_locked(alloc, user_ptr);
mutex_unlock(&alloc->mutex);
return buffer;
}
@ -358,6 +369,7 @@ struct binder_buffer *binder_alloc_new_buf_locked(struct binder_alloc *alloc,
rb_erase(best_fit, &alloc->free_buffers);
buffer->free = 0;
buffer->free_in_progress = 0;
binder_insert_allocated_buffer_locked(alloc, buffer);
if (buffer_size != size) {
struct binder_buffer *new_buffer = (void *)buffer->data + size;