microsoft
/
WSL2-Linux-Kernel
зеркало из https://github.com/microsoft/WSL2-Linux-Kernel.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность
WSL2-Linux-Kernel/drivers
История
Carlos Llamas c2a4b5dc8f binder: fix UAF of ref->proc caused by race condition 
commit a0e44c64b6 upstream.

A transaction of type BINDER_TYPE_WEAK_HANDLE can fail to increment the
reference for a node. In this case, the target proc normally releases
the failed reference upon close as expected. However, if the target is
dying in parallel the call will race with binder_deferred_release(), so
the target could have released all of its references by now leaving the
cleanup of the new failed reference unhandled.

The transaction then ends and the target proc gets released making the
ref->proc now a dangling pointer. Later on, ref->node is closed and we
attempt to take spin_lock(&ref->proc->inner_lock), which leads to the
use-after-free bug reported below. Let's fix this by cleaning up the
failed reference on the spot instead of relying on the target to do so.

  ==================================================================
  BUG: KASAN: use-after-free in _raw_spin_lock+0xa8/0x150
  Write of size 4 at addr ffff5ca207094238 by task kworker/1:0/590

  CPU: 1 PID: 590 Comm: kworker/1:0 Not tainted 5.19.0-rc8 #10
  Hardware name: linux,dummy-virt (DT)
  Workqueue: events binder_deferred_func
  Call trace:
   dump_backtrace.part.0+0x1d0/0x1e0
   show_stack+0x18/0x70
   dump_stack_lvl+0x68/0x84
   print_report+0x2e4/0x61c
   kasan_report+0xa4/0x110
   kasan_check_range+0xfc/0x1a4
   __kasan_check_write+0x3c/0x50
   _raw_spin_lock+0xa8/0x150
   binder_deferred_func+0x5e0/0x9b0
   process_one_work+0x38c/0x5f0
   worker_thread+0x9c/0x694
   kthread+0x188/0x190
   ret_from_fork+0x10/0x20

Acked-by: Christian Brauner (Microsoft) <brauner@kernel.org>
Signed-off-by: Carlos Llamas <cmllamas@google.com>
Cc: stable <stable@kernel.org> # 4.14+
Link: https://lore.kernel.org/r/20220801182511.3371447-1-cmllamas@google.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 		2022-09-08 12:28:04 +02:00
..
accessibility tty: the rest, stop using tty_schedule_flip() 2022-07-29 17:25:32 +02:00
acpi ACPI: thermal: drop an always true check 2022-09-05 10:30:03 +02:00
amba
android binder: fix UAF of ref->proc caused by race condition 2022-09-08 12:28:04 +02:00
ata ata: libata-eh: Add missing command name 2022-08-25 11:39:55 +02:00
atm atm: idt77252: fix use-after-free bugs caused by tst_timer 2022-08-25 11:40:15 +02:00
auxdisplay
base drivers/base: fix userspace break from using bin_attributes for cpumap and cpulist 2022-08-31 17:16:35 +02:00
bcma
block loop: Check for overflow while configuring loop 2022-08-31 17:16:47 +02:00
bluetooth Bluetooth: hci_intel: Add check for platform_driver_register 2022-08-17 14:23:34 +02:00
bus bus: hisi_lpc: fix missing platform_device_put() in hisi_lpc_acpi_probe() 2022-08-17 14:23:10 +02:00
cdrom
char random: update comment from copy_to_user() -> copy_to_iter() 2022-06-29 09:03:31 +02:00
clk clk: qcom: clk-alpha-pll: fix clk_trion_pll_configure description 2022-08-25 11:40:34 +02:00
clocksource clocksource/drivers/ixp4xx: remove EXPORT_SYMBOL_GPL from ixp4xx_timer_setup() 2022-07-07 17:53:32 +02:00
comedi comedi: vmk80xx: fix expression for tx buffer size 2022-06-22 14:22:03 +02:00
connector
counter
cpufreq cpufreq: pmac32-cpufreq: Fix refcount leak bug 2022-07-21 21:24:34 +02:00
cpuidle cpuidle: PSCI: Improve support for suspend-to-RAM for PSCI OSI mode 2022-06-09 10:22:33 +02:00
crypto crypto: hisilicon/sec - fix auth key size error 2022-08-17 14:23:35 +02:00
cxl cxl/port: Hold port reference until decoder release 2022-07-12 16:34:58 +02:00
dax dax: make sure inodes are flushed before destroy cache 2022-04-08 14:23:31 +02:00
dca
devfreq PM / devfreq: exynos-ppmu: Fix refcount leak in of_get_devfreq_events 2022-07-07 17:53:27 +02:00
dio
dma dmaengine: sprd: Cleanup in .remove() after pm_runtime_get_sync() failed 2022-08-25 11:40:38 +02:00
dma-buf udmabuf: Set the DMA mask for the udmabuf device (v2) 2022-09-05 10:30:06 +02:00
edac EDAC/ghes: Set the DIMM label unconditionally 2022-08-03 12:03:55 +02:00
eisa
extcon extcon: Modify extcon device to be created after driver data is set 2022-06-14 18:36:22 +02:00
firewire firewire: core: extend card->lock in fw_core_handle_bus_reset 2022-05-12 12:30:05 +02:00
firmware firmware: tegra: bpmp: Do only aligned access to IPC memory area 2022-09-05 10:30:03 +02:00
fpga fpga: altera-pr-ip: fix unsigned comparison with less than zero 2022-08-17 14:23:41 +02:00
fsi fsi: occ: Force sequence numbering per OCC 2022-07-07 17:53:32 +02:00
gnss
gpio gpio: gpiolib-of: Fix refcount bugs in of_mm_gpiochip_add_data() 2022-08-17 14:23:56 +02:00
gpu drm/i915/display: avoid warnings when registering dual panel backlight 2022-09-08 12:28:02 +02:00
greybus
hid HID: thrustmaster: Add sparco wheel and fix array length 2022-09-05 10:30:08 +02:00
hsi
hv Drivers: hv: balloon: Support status report for larger page sizes 2022-09-05 10:30:04 +02:00
hwmon hwmon: (drivetemp) Add module alias 2022-08-17 14:23:13 +02:00
hwspinlock
hwtracing coresight: etm4x: avoid build failure with unrolled loops 2022-08-25 11:40:35 +02:00
i2c i2c: imx: Make sure to unregister adapter on remove() 2022-08-25 11:40:26 +02:00
i3c
idle intel_idle: Disable IBRS during long idle 2022-07-23 12:54:04 +02:00
iio iio: adc: mcp3911: use correct formula for AD conversion 2022-09-08 12:28:04 +02:00
infiniband RDMA/rxe: Limit the number of calls to each tasklet 2022-08-25 11:40:37 +02:00
input Input: iforce - wake up after clearing IFORCE_XMIT_RUNNING flag 2022-09-08 12:28:03 +02:00
interconnect interconnect: imx: fix max_node_id 2022-08-17 14:23:53 +02:00
iommu iommu/io-pgtable-arm-v7s: Add a quirk to allow pgtable PA up to 35bit 2022-08-25 11:40:41 +02:00
ipack
irqchip irqchip/tegra: Fix overflow implicit truncation warnings 2022-08-25 11:40:32 +02:00
isdn
leds
macintosh macintosh/adb: fix oob read in do_adb_query() function 2022-08-11 13:07:54 +02:00
mailbox mailbox: forward the hrtimer if not queued and under a lock 2022-06-09 10:23:12 +02:00
mcb
md md: call __md_stop_writes in md_stop 2022-08-31 17:16:50 +02:00
media media: pvrusb2: fix memory leak in pvr_probe 2022-09-05 10:30:07 +02:00
memory memory: renesas-rpc-if: Avoid unaligned bus access for HyperFlash 2022-07-12 16:34:52 +02:00
memstick memstick/ms_block: Fix a memory leak 2022-08-17 14:23:50 +02:00
message
mfd mfd: max77620: Fix refcount leak in max77620_initialise_fps 2022-08-17 14:24:09 +02:00
misc misc: fastrpc: fix memory corruption on open 2022-09-08 12:28:04 +02:00
mmc mmc: core: Fix inconsistent sd3_bus_mode at UHS-I SD voltage switch failure 2022-09-08 12:28:04 +02:00
most
mtd mtd: spi-nor: fix spi_nor_spimem_setup_op() call in spi_nor_erase_{sector,chip}() 2022-08-17 14:23:58 +02:00
mux
net mlxbf_gige: compute MDIO period based on i1clk 2022-09-08 12:28:03 +02:00
nfc nfc: pn533: Fix use-after-free bugs caused by pn532_cmd_timeout 2022-08-31 17:16:38 +02:00
ntb NTB: ntb_tool: uninitialized heap data in tool_fn_write() 2022-08-25 11:40:14 +02:00
nubus
nvdimm nvdimm: Fix badblocks clear off-by-one error 2022-07-07 17:53:24 +02:00
nvme block: add a bdev_max_zone_append_sectors helper 2022-08-31 17:16:34 +02:00
nvmem
of of/fdt: declared return type does not match actual return type 2022-08-17 14:23:59 +02:00
opp opp: Fix error check in dev_pm_opp_attach_genpd() 2022-08-17 14:24:01 +02:00
parisc parisc: Check the return value of ioremap() in lba_driver_probe() 2022-08-17 14:22:51 +02:00
parport
pci Revert "PCI/portdrv: Don't disable AER reporting in get_port_device_capability()" 2022-09-05 10:30:06 +02:00
pcmcia pcmcia: db1xxx_ss: restrict to MIPS_DB1XXX boards 2022-06-14 18:36:02 +02:00
perf drivers/perf: arm_spe: Fix consistency of SYS_PMSCR_EL1.CX 2022-08-17 14:23:14 +02:00
phy phy: samsung: phy-exynos-pcie: sanitize init/power_on callbacks 2022-08-25 11:40:39 +02:00
pinctrl pinctrl: intel: Check against matching data instead of ACPI companion 2022-08-25 11:40:36 +02:00
platform platform/x86: pmc_atom: Fix SLP_TYPx bitfield mask 2022-09-08 12:28:01 +02:00
pnp
power power/reset: arm-versatile: Fix refcount leak in versatile_reboot_probe 2022-07-29 17:25:10 +02:00
powercap
pps pps: clients: gpio: Propagate return value from pps_gpio_probe 2022-04-08 14:23:44 +02:00
ps3
ptp ptp: replace snprintf with sysfs_emit 2022-04-13 20:59:01 +02:00
pwm pwm: lpc18xx: Fix period handling 2022-08-17 14:23:16 +02:00
rapidio
ras
regulator regulator: of: Fix refcount leak bug in of_get_regulation_constraints() 2022-08-17 14:23:14 +02:00
remoteproc remoteproc: sysmon: Wait for SSCTL service to come up 2022-08-17 14:24:09 +02:00
reset reset: tegra-bpmp: Restore Handle errors in BPMP response 2022-04-27 14:38:55 +02:00
rpmsg rpmsg: qcom_smd: Fix refcount leak in qcom_smd_parse_edge 2022-08-17 14:24:08 +02:00
rtc rtc: rx8025: fix 12/24 hour mode detection on RX-8035 2022-08-17 14:22:53 +02:00
s390 scsi: zfcp: Fix missing auto port scan and thus missing target ports 2022-08-17 14:24:16 +02:00
sbus
scsi scsi: storvsc: Remove WQ_MEM_RECLAIM from storvsc_error_wq 2022-08-31 17:16:51 +02:00
sh
siox
slimbus slimbus: qcom: Fix IRQ check in qcom_slim_probe 2022-05-18 10:26:55 +02:00
soc soc: qcom: Make QCOM_RPMPD depend on PM 2022-08-17 14:23:14 +02:00
soundwire soundwire: qcom: fix device status array range 2022-09-08 12:28:03 +02:00
spi spi: meson-spicc: add local pow2 clock ops to preserve rate between messages 2022-08-25 11:40:23 +02:00
spmi
ssb
staging staging: r8188eu: add firmware dependency 2022-09-08 12:28:03 +02:00
target target: remove an incorrect unmap zeroes data deduction 2022-06-09 10:22:47 +02:00
tc
tee tee: add overflow check in register_shm_helper() 2022-08-21 15:17:47 +02:00
thermal thermal: sysfs: Fix cooling_device_stats_setup() error code path 2022-08-17 14:22:50 +02:00
thunderbolt thunderbolt: Use different lane for second DisplayPort tunnel 2022-06-14 18:36:20 +02:00
tty tty: serial: lpuart: disable flow control while waiting for the transmit engine to complete 2022-09-08 12:28:03 +02:00
uio
usb USB: serial: ftdi_sio: add Omron CS1W-CIF31 device id 2022-09-08 12:28:04 +02:00
vdpa vduse: Tie vduse mgmtdev and its device 2022-07-21 21:24:33 +02:00
vfio vfio: Clear the caps->buf to NULL after free 2022-08-25 11:40:41 +02:00
vhost vringh: Fix loop descriptors check in the indirect cases 2022-06-14 18:36:24 +02:00
video fbdev: fb_pm2fb: Avoid potential divide by zero error 2022-09-05 10:30:07 +02:00
virt vboxguest: Do not use devm for irq 2022-08-25 11:40:33 +02:00
virtio virtio_mmio: Restore guest page size on resume 2022-07-21 21:24:33 +02:00
visorbus
vlynq
vme
w1 w1: w1_therm: fixes w1_seq for ds28ea00 sensors 2022-04-13 20:59:11 +02:00
watchdog watchdog: armada_37xx_wdt: check the return value of devm_ioremap() in armada_37xx_wdt_probe() 2022-08-17 14:24:11 +02:00
xen xen/privcmd: fix error exit of privcmd_ioctl_dm_op() 2022-08-31 17:16:49 +02:00
zorro
Kconfig
Makefile