BACKPORT: FROMLIST: binder: fix freeze UAF in binder_release_work()

When a binder reference is cleaned up, any freeze work queued in the
associated process should also be removed. Otherwise, the reference is
freed while its ref->freeze.work is still queued in proc->work leading
to a use-after-free issue as shown by the following KASAN report:

  ==================================================================
  BUG: KASAN: slab-use-after-free in binder_release_work+0x398/0x3d0
  Read of size 8 at addr ffff31600ee91488 by task kworker/5:1/211

  CPU: 5 UID: 0 PID: 211 Comm: kworker/5:1 Not tainted 6.11.0-rc7-00382-gfc6c92196396 #22
  Hardware name: linux,dummy-virt (DT)
  Workqueue: events binder_deferred_func
  Call trace:
   binder_release_work+0x398/0x3d0
   binder_deferred_func+0xb60/0x109c
   process_one_work+0x51c/0xbd4
   worker_thread+0x608/0xee8

  Allocated by task 703:
   __kmalloc_cache_noprof+0x130/0x280
   binder_thread_write+0xdb4/0x42a0
   binder_ioctl+0x18f0/0x25ac
   __arm64_sys_ioctl+0x124/0x190
   invoke_syscall+0x6c/0x254

  Freed by task 211:
   kfree+0xc4/0x230
   binder_deferred_func+0xae8/0x109c
   process_one_work+0x51c/0xbd4
   worker_thread+0x608/0xee8
  ==================================================================

This commit fixes the issue by ensuring any queued freeze work is removed
when cleaning up a binder reference.

Fixes: d579b04a52a1 ("binder: frozen notification")
Cc: stable@vger.kernel.org
Signed-off-by: Carlos Llamas <cmllamas@google.com>

Bug: 366003708
Link: https://lore.kernel.org/all/20240924184401.76043-4-cmllamas@google.com/
Change-Id: Icc40e7dd6157981f4adbea7243e55be118552321
[cmllamas: drop BINDER_STAT_FREEZE as it's not supported here]
Signed-off-by: Carlos Llamas <cmllamas@google.com>

This commit is contained in:

Carlos Llamas

2024-09-24 18:43:55 +00:00

committed by

Ksawlii

parent 1cf14664be

commit 5380adeb80

1 changed files with 4 additions and 0 deletions

									
										4

drivers/android/binder.c
									
										View file
										
				@ -1289,6 +1289,10 @@ static void binder_cleanup_ref_olocked(struct binder_ref *ref)

						binder_dequeue_work(ref->proc, &ref->death->work);

						binder_stats_deleted(BINDER_STAT_DEATH);

					}

					if (ref->freeze)

						binder_dequeue_work(ref->proc, &ref->freeze->work);

					binder_stats_deleted(BINDER_STAT_REF);

				}

BACKPORT: FROMLIST: binder: fix freeze UAF in binder_release_work()

4 drivers/android/binder.c Unescape Escape View file

4

drivers/android/binder.c

View file