Ksawlii/kernel_samsung_a53x
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
kernel_samsung_a53x/drivers
History
Carlos Llamas be0950a61a binder: fix UAF caused by offsets overwrite 
commit 4df153652cc46545722879415937582028c18af5 upstream.

Binder objects are processed and copied individually into the target
buffer during transactions. Any raw data in-between these objects is
copied as well. However, this raw data copy lacks an out-of-bounds
check. If the raw data exceeds the data section size then the copy
overwrites the offsets section. This eventually triggers an error that
attempts to unwind the processed objects. However, at this point the
offsets used to index these objects are now corrupted.

Unwinding with corrupted offsets can result in decrements of arbitrary
nodes and lead to their premature release. Other users of such nodes are
left with a dangling pointer triggering a use-after-free. This issue is
made evident by the following KASAN report (trimmed):

  ==================================================================
  BUG: KASAN: slab-use-after-free in _raw_spin_lock+0xe4/0x19c
  Write of size 4 at addr ffff47fc91598f04 by task binder-util/743

  CPU: 9 UID: 0 PID: 743 Comm: binder-util Not tainted 6.11.0-rc4 #1
  Hardware name: linux,dummy-virt (DT)
  Call trace:
   _raw_spin_lock+0xe4/0x19c
   binder_free_buf+0x128/0x434
   binder_thread_write+0x8a4/0x3260
   binder_ioctl+0x18f0/0x258c
  [...]

  Allocated by task 743:
   __kmalloc_cache_noprof+0x110/0x270
   binder_new_node+0x50/0x700
   binder_transaction+0x413c/0x6da8
   binder_thread_write+0x978/0x3260
   binder_ioctl+0x18f0/0x258c
  [...]

  Freed by task 745:
   kfree+0xbc/0x208
   binder_thread_read+0x1c5c/0x37d4
   binder_ioctl+0x16d8/0x258c
  [...]
  ==================================================================

To avoid this issue, let's check that the raw data copy is within the
boundaries of the data section.

Fixes: 6d98eb95b450 ("binder: avoid potential data leakage when copying txn")
Cc: Todd Kjos <tkjos@google.com>
Cc: stable@vger.kernel.org
Signed-off-by: Carlos Llamas <cmllamas@google.com>
Link: https://lore.kernel.org/r/20240822182353.2129600-1-cmllamas@google.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2025-01-19 00:09:59 +01:00
..
accessibility
acpi ACPI: processor: Fix memory leaks in error paths of processor_add() 2025-01-19 00:09:58 +01:00
amba
android binder: fix UAF caused by offsets overwrite 2025-01-19 00:09:59 +01:00
ata ata: sata_highbank: fix OF node reference leak in highbank_initialize_phys() 2025-01-02 17:00:49 +01:00
atm atm: idt77252: prevent use after free in dequeue_rx() 2024-11-23 23:20:43 +01:00
auxdisplay
base regmap: Use correct format specifier for logging range errors 2025-01-15 16:29:50 +01:00
battery Revert "battery: nuke sm5451_charger driver from a53x" 2025-01-18 22:11:40 +01:00
bcma
block virtio-blk: don't keep queue frozen during system suspend 2025-01-15 16:29:50 +01:00
bluetooth Bluetooth: btusb: Add RTL8852BE device 0489:e123 to device tables 2024-12-17 13:24:31 +01:00
bts
bus Revert "bus: integrator-lm: fix OF node leak in probe()" 2024-11-24 00:23:16 +01:00
cdrom
char Revert "tpm: Clean up TPM space after command failure" 2024-11-24 00:23:24 +01:00
clk Revert "clkdev: remove CONFIG_CLKDEV_LOOKUP" 2025-01-02 17:01:18 +01:00
clocksource clocksource/drivers/imx-tpm: Fix return -ETIME when delta exceeds INT_MAX 2025-01-19 00:09:59 +01:00
connector
counter
cpufreq exynos: acme: dumb down code to take in any freq table 2025-01-15 16:39:44 +01:00
cpuidle cpuidle: menu: Take negative "sleep length" values into account 2024-11-19 18:01:28 +01:00
crypto crypto: cavium - Fix an error handling path in cpt_ucode_load_fw() 2024-12-17 13:24:00 +01:00
dax
dca
devfreq
dio
dma dmaengine: dw: Select only supported masters for ACPI devices 2025-01-15 16:29:54 +01:00
dma-buf UPSTREAM: dma-buf: heaps: Fix off-by-one in CMA heap fault handler 2025-01-19 00:09:58 +01:00
edac EDAC/fsl_ddr: Fix bad bit shift operations 2024-12-17 13:23:59 +01:00
eisa
extcon
fingerprint
firewire
firmware BACKPORT: firmware: arm_scmi: Queue in scmi layer for mailbox implementation 2025-01-19 00:09:58 +01:00
fpga
fsi
gnss
gpio gpio: grgpio: Add NULL check in grgpio_probe 2024-12-17 13:24:27 +01:00
gpu drm: adv7511: Drop dsi single lane support 2025-01-15 16:29:56 +01:00
greybus
gud
hid HID: wacom: fix when get product name maybe null pointer 2024-12-17 13:24:28 +01:00
hsi
hv Drivers: hv: vmbus: Fix rescind handling in uio_hv_generic 2025-01-19 00:09:59 +01:00
hwmon hwmon: (tmp513) Fix interpretation of values of Temperature Result and Limit Registers 2025-01-15 16:29:45 +01:00
hwspinlock Revert "hwspinlock: Introduce hwspin_lock_bust()" 2024-11-24 00:23:48 +01:00
hwtracing Revert "coresight: tmc: sg: Do not leak sg_table" 2024-11-24 00:23:19 +01:00
i2c i2c: riic: Always round-up when calculating bus period 2025-01-15 16:29:41 +01:00
i3c i3c: Use i3cdev->desc->info instead of calling i3c_device_get_info() to avoid deadlock 2024-12-17 13:24:32 +01:00
ide
idle
ifconn
iio ad7780: fix division by zero in ad7780_write_raw() 2024-12-17 13:24:23 +01:00
infiniband RDMA/uverbs: Prevent integer overflow issue 2025-01-15 16:29:56 +01:00
input drivers: sec_input: stm_cmd.c: Expand snprintf sizes 2024-12-17 21:43:20 +01:00
interconnect Revert "interconnect: qcom: sm8250: Enable sync_state" 2024-11-24 00:23:19 +01:00
iommu iommu/arm-smmu: Defer probe of clients after smmu device bound 2024-12-17 13:24:29 +01:00
ipack
irqchip irqchip/gic: Correct declaration of *percpu_base pointer in union gic_base 2025-01-15 16:29:56 +01:00
isdn mISDN: Fix a use after free in hfcmulti_tx() 2024-11-23 23:20:17 +01:00
kperfmon
kq/mesh
leds leds: class: Protect brightness_show() with led_cdev->led_access mutex 2024-12-17 13:24:32 +01:00
lightnvm
macintosh macintosh/therm_windtunnel: fix module unload. 2024-11-23 23:20:11 +01:00
mailbox Revert "mailbox: rockchip: fix a typo in module autoloading" 2024-11-24 00:23:13 +01:00
mcb
md bcache: revert replacing IS_ERR_OR_NULL with IS_ERR again 2024-12-17 13:24:28 +01:00
media media: platform: exynos: camera: Fix enum-compare compilation error from clang 19 2025-01-16 23:06:54 +01:00
memory memory: stm32-fmc2-ebi: check regmap_read return value 2024-11-23 23:20:46 +01:00
memstick
message scsi: fusion: Remove unused variable 'rc' 2024-12-17 13:24:09 +01:00
mfd mfd: rt5033: Fix missing regmap_del_irq_chip() 2024-12-17 13:24:08 +01:00
misc VMCI: Fix use-after-free when removing resource in vmci_resource_remove() 2025-01-19 00:09:59 +01:00
mmc mmc: cqhci: Fix checking of CQHCI_HALT state 2025-01-19 00:09:58 +01:00
most
mtd mtd: rawnand: fix double free in atmel_pmecc_create_user() 2025-01-15 16:29:50 +01:00
muic
mux
net net: wireless: scsc: Add support for NL80211_WPA_VERSION_3 2025-01-16 23:19:27 +01:00
nfc nfc: pn533: Add poll mod list filling check 2024-11-23 23:20:55 +01:00
ntb Revert "ntb: intel: Fix the NULL vs IS_ERR() bug for debugfs_create_dir()" 2024-11-24 00:23:20 +01:00
nubus
nvdimm nvdimm: rectify the illogical code within nd_dax_probe() 2024-12-17 13:24:32 +01:00
nvme nvmet-tcp: fix kernel crash if commands allocation fails 2025-01-19 00:09:58 +01:00
nvmem nvmem: Fix return type of devm_nvmem_device_get() in kerneldoc 2025-01-19 00:09:59 +01:00
of of: Fix refcount leakage for OF node returned by __of_get_dma_parent() 2025-01-15 16:29:47 +01:00
opp
oprofile
parisc
parport Revert "parport: Proper fix for array out-of-bounds access" 2024-11-24 00:22:51 +01:00
pci PCI: Add ACS quirk for Broadcom BCM5760X NIC 2025-01-15 16:29:40 +01:00
pcmcia Revert "pcmcia: Use resource_size function on resource object" 2024-11-24 00:23:42 +01:00
perf
phy phy: core: Fix that API devm_phy_destroy() fails to destroy the phy 2025-01-15 16:29:49 +01:00
pinctrl pinctrl: mcp23s08: Fix sleeping in atomic context due to regmap locking 2025-01-15 16:29:56 +01:00
platform platform/x86: asus-nb-wmi: Ignore unknown event 0xCF 2025-01-15 16:29:50 +01:00
pnp
power power: supply: gpio-charger: Fix set charge current limits 2025-01-15 16:29:51 +01:00
powercap Revert "powercap: RAPL: fix invalid initialization for pl4_supported field" 2024-11-24 00:23:18 +01:00
pps Revert "pps: remove usage of the deprecated ida_simple_xx() API" 2024-11-24 00:23:14 +01:00
ps3
ptp ptp: Add error handling for adjfine callback in ptp_clock_adjtime 2024-12-17 13:24:25 +01:00
pwm pwm: imx27: Workaround of the pwm output bug when decrease the duty cycle 2024-12-17 13:24:02 +01:00
rapidio
ras
regulator regulator: rk808: Add apply_bit for BUCK3 on RK809 2024-12-17 13:23:58 +01:00
remoteproc remoteproc: qcom_q6v5_mss: Re-order writes to the IMEM region 2024-12-17 13:24:13 +01:00
reset Revert "reset: berlin: fix OF node leak in probe() error path" 2024-11-24 00:23:27 +01:00
rpmsg rpmsg: glink: Propagate TX failures in intentless mode as well 2024-12-17 13:24:21 +01:00
rtc rtc: ab-eoz9: don't fail temperature reads on undervoltage notification 2024-12-17 13:24:22 +01:00
s390 Revert "s390/zcore: no need to check return value of debugfs_create functions" 2024-11-24 00:22:59 +01:00
samsung
sbus
scsi scsi: storvsc: Do not flag MAINTENANCE_IN return of SRB_STATUS_DATA_OVERRUN as an error 2025-01-15 16:29:50 +01:00
sensorhub
sensors
sfi
sh sh: clk: Fix clk_enable() to return 0 on NULL clk 2025-01-15 16:29:45 +01:00
siox
slimbus
soc fvmap: move undervolting settings to Kconfig 2025-01-15 16:40:04 +01:00
soundwire Revert "soundwire: stream: fix programming slave ports for non-continous port maps" 2024-11-24 00:23:49 +01:00
spi spi: mpc52xx: Add cancel_work_sync before module remove 2024-12-17 13:24:27 +01:00
spmi
spu_verify
ssb ssb: Fix division by zero issue in ssb_calc_clock_rate 2024-11-23 23:20:44 +01:00
staging Revert "clkdev: remove CONFIG_CLKDEV_LOOKUP" 2025-01-02 17:01:18 +01:00
sti
target scsi: target: core: Fix null-ptr-deref in target_alloc_device() 2024-11-23 23:21:59 +01:00
tc
tee
thermal
thunderbolt thunderbolt: Add support for Intel Panther Lake-M/P 2025-01-15 16:29:53 +01:00
tty serial: 8250: omap: Move pm_runtime_get_sync 2024-12-17 13:24:19 +01:00
uh
uio uio_hv_generic: Fix kernel NULL pointer dereference in hv_uio_rescind 2025-01-19 00:09:59 +01:00
usb USB: serial: option: add MediaTek T7XX compositions 2025-01-15 16:29:41 +01:00
vdpa vdpa/mlx5: Fix suboptimal range on iotlb iteration 2024-12-17 13:24:13 +01:00
vfio vfio/pci: Properly hide first-in-list PCIe extended capability 2024-12-17 13:24:13 +01:00
vhost Revert "vdpa: Add eventfd for the vdpa callback" 2024-11-24 00:23:19 +01:00
vibrator
video fbdev: sh7760fb: Fix a possible memory leak in sh7760fb_alloc_mem() 2024-12-17 13:24:09 +01:00
virt
virtio Revert "vdpa: Add eventfd for the vdpa callback" 2024-11-24 00:23:19 +01:00
vision
vision3
visorbus
vlynq
vme
w1
watchdog watchdog: it87_wdt: add PWRGD enable quirk for Qotom QCML04 2025-01-15 16:29:50 +01:00
xen xen: Fix the issue of resource not being properly released in xenbus_dev_probe() 2024-12-17 13:24:17 +01:00
zorro
Kconfig Added KernelSU 2024-11-19 22:44:48 +01:00
Kconfig.variant1
kernelsu Welcome KernelSU Next 2025-01-15 16:32:35 +01:00
Makefile Added KernelSU 2024-11-19 22:44:48 +01:00
Makefile.variant1