microsoft
/
WSL2-Linux-Kernel
зеркало из https://github.com/microsoft/WSL2-Linux-Kernel.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность
WSL2-Linux-Kernel/drivers
История
Carlos Llamas d276fb4a7e binder: validate alloc->mm in ->mmap() handler 
[ Upstream commit 3ce00bb7e9 ]

Since commit 1da52815d5 ("binder: fix alloc->vma_vm_mm null-ptr
dereference") binder caches a pointer to the current->mm during open().
This fixes a null-ptr dereference reported by syzkaller. Unfortunately,
it also opens the door for a process to update its mm after the open(),
(e.g. via execve) making the cached alloc->mm pointer invalid.

Things get worse when the process continues to mmap() a vma. From this
point forward, binder will attempt to find this vma using an obsolete
alloc->mm reference. Such as in binder_update_page_range(), where the
wrong vma is obtained via vma_lookup(), yet binder proceeds to happily
insert new pages into it.

To avoid this issue fail the ->mmap() callback if we detect a mismatch
between the vma->vm_mm and the original alloc->mm pointer. This prevents
alloc->vm_addr from getting set, so that any subsequent vma_lookup()
calls fail as expected.

Fixes: 1da52815d5 ("binder: fix alloc->vma_vm_mm null-ptr dereference")
Reported-by: Jann Horn <jannh@google.com>
Cc: <stable@vger.kernel.org> # 5.15+
Signed-off-by: Carlos Llamas <cmllamas@google.com>
Acked-by: Todd Kjos <tkjos@google.com>
Link: https://lore.kernel.org/r/20221104231235.348958-1-cmllamas@google.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
 		2022-12-02 17:41:00 +01:00
..
accessibility speakup: fix a segfault caused by switching consoles 2022-11-26 09:24:44 +01:00
acpi ACPI: x86: Add another system to quirk list for forcing StorageD3Enable 2022-11-26 09:24:31 +01:00
amba
android binder: validate alloc->mm in ->mmap() handler 2022-12-02 17:41:00 +01:00
ata ata: libata-core: do not issue non-internal commands once EH is pending 2022-12-02 17:41:00 +01:00
atm atm: idt77252: fix use-after-free bugs caused by tst_timer 2022-08-25 11:40:15 +02:00
auxdisplay
base PM: domains: Fix handling of unavailable/disabled idle states 2022-11-03 23:59:18 +09:00
bcma
block drbd: use after free in drbd_create_device() 2022-11-26 09:24:40 +01:00
bluetooth Bluetooth: virtio_bt: Use skb_put to set length 2022-11-10 18:15:30 +01:00
bus bus: hisi_lpc: fix missing platform_device_put() in hisi_lpc_acpi_probe() 2022-08-17 14:23:10 +02:00
cdrom
char hwrng: imx-rngc - Moving IRQ handler registering after imx_rngc_irq_mask_clear() 2022-10-26 12:35:24 +02:00
clk clk: qcom: Update the force mem core bit for GPU clocks 2022-11-10 18:15:35 +01:00
clocksource clocksource/drivers/ixp4xx: remove EXPORT_SYMBOL_GPL from ixp4xx_timer_setup() 2022-07-07 17:53:32 +02:00
comedi comedi: vmk80xx: fix expression for tx buffer size 2022-06-22 14:22:03 +02:00
connector
counter counter: microchip-tcb-capture: Handle Signal1 read and Synapse 2022-11-03 23:59:13 +09:00
cpufreq cpufreq: intel_pstate: hybrid: Use known scaling factor for P-cores 2022-11-03 23:59:12 +09:00
cpuidle
crypto crypto: cavium - prevent integer overflow loading firmware 2022-10-26 12:35:28 +02:00
cxl cxl/port: Hold port reference until decoder release 2022-07-12 16:34:58 +02:00
dax devdax: Fix soft-reservation memory description 2022-09-28 11:11:57 +02:00
dca
devfreq PM / devfreq: exynos-ppmu: Fix refcount leak in of_get_devfreq_events 2022-07-07 17:53:27 +02:00
dio
dma dmaengine: at_hdmac: Check return code of dma_async_device_register 2022-11-16 09:58:30 +01:00
dma-buf udmabuf: Set ubuf->sg = NULL if the creation of sg table fails 2022-10-26 12:35:39 +02:00
edac EDAC/ghes: Set the DIMM label unconditionally 2022-08-03 12:03:55 +02:00
eisa
extcon extcon: Modify extcon device to be created after driver data is set 2022-06-14 18:36:22 +02:00
firewire
firmware firmware: coreboot: Register bus in module init 2022-11-26 09:24:48 +01:00
fpga fpga: prevent integer overflow in dfl_feature_ioctl_set_irq() 2022-10-26 12:35:07 +02:00
fsi fsi: core: Check error number after calling ida_simple_get 2022-10-26 12:35:17 +02:00
gnss
gpio gpio: rockchip: request GPIO mux to pinctrl when setting direction 2022-10-26 12:34:26 +02:00
gpu drm/display: Don't assume dual mode adaptors support i2c sub-addressing 2022-12-02 17:41:00 +01:00
greybus
hid HID: hyperv: fix possible memory leak in mousevsc_probe() 2022-11-16 09:58:15 +01:00
hsi HSI: omap_ssi_port: Fix dma_map_sg error check 2022-10-26 12:35:05 +02:00
hv Drivers: hv: Never allocate anything besides framebuffer from framebuffer memory region 2022-09-28 11:11:55 +02:00
hwmon hwmon/coretemp: Handle large core ID value 2022-10-29 10:12:54 +02:00
hwspinlock hwspinlock: qcom: correct MMIO max register for newer SoCs 2022-11-16 09:58:13 +01:00
hwtracing coresight: cti: Fix hang in cti_disable_hw() 2022-11-03 23:59:13 +09:00
i2c i2c: i801: add lis3lv02d's I2C address for Vostro 5568 2022-11-26 09:24:31 +01:00
i3c
idle intel_idle: Disable IBRS during long idle 2022-07-23 12:54:04 +02:00
iio iio: pressure: ms5611: fixed value compensation bug 2022-12-02 17:41:00 +01:00
infiniband RDMA/efa: Add EFA 0xefa2 PCI ID 2022-11-26 09:24:31 +01:00
input Input: i8042 - fix leaking of platform device on module removal 2022-11-26 09:24:50 +01:00
interconnect interconnect: imx: fix max_node_id 2022-08-17 14:23:53 +02:00
iommu iommu/vt-d: Set SRE bit only when hardware has SRS cap 2022-11-26 09:24:47 +01:00
ipack
irqchip irqchip/tegra: Fix overflow implicit truncation warnings 2022-08-25 11:40:32 +02:00
isdn mISDN: fix misuse of put_device() in mISDN_register_device() 2022-11-26 09:24:39 +01:00
leds leds: lm3601x: Don't use mutex after it was destroyed 2022-10-26 12:34:39 +02:00
macintosh macintosh/adb: fix oob read in do_adb_query() function 2022-08-11 13:07:54 +02:00
mailbox mailbox: bcm-ferxrm-mailbox: Fix error check for dma_map_sg 2022-10-26 12:35:21 +02:00
mcb
md dm ioctl: fix misbehavior if list_versions races with module loading 2022-11-26 09:24:46 +01:00
media media: dvb-frontends/drxk: initialize err to 0 2022-11-10 18:15:34 +01:00
memory memory: of: Fix refcount leak bug in of_lpddr3_get_ddr_timings() 2022-10-26 12:34:58 +02:00
memstick memstick/ms_block: Fix a memory leak 2022-08-17 14:23:50 +02:00
message
mfd mtd: spi-nor: intel-spi: Disable write protection only if asked 2022-11-26 09:24:32 +01:00
misc misc/vmw_vmci: fix an infoleak in vmci_host_do_receive_datagram() 2022-11-26 09:24:48 +01:00
mmc mmc: sdhci-pci: Fix possible memory leak caused by missing pci_dev_put() 2022-11-26 09:24:48 +01:00
most
mtd spi: intel: Use correct mask for flash and protected regions 2022-11-26 09:24:32 +01:00
mux
net macvlan: enforce a consistent minimal mtu 2022-11-26 09:24:50 +01:00
nfc nfc: nfcmrvl: Fix potential memory leak in nfcmrvl_i2c_nci_send() 2022-11-10 18:15:28 +01:00
ntb NTB: ntb_tool: uninitialized heap data in tool_fn_write() 2022-08-25 11:40:14 +02:00
nubus
nvdimm nvdimm: Fix badblocks clear off-by-one error 2022-07-07 17:53:24 +02:00
nvme nvme-pci: add NVME_QUIRK_BOGUS_NID for Netac NV7000 2022-12-02 17:41:00 +01:00
nvmem nvmem: core: Fix memleak in nvmem_register() 2022-10-26 12:34:23 +02:00
of of: fdt: fix off-by-one error in unflatten_dt_nodes() 2022-09-23 14:15:46 +02:00
opp opp: Fix error check in dev_pm_opp_attach_genpd() 2022-08-17 14:24:01 +02:00
parisc parisc: Export iosapic_serial_irq() symbol for serial port driver 2022-11-10 18:15:40 +01:00
parport parport_pc: Avoid FIFO port location truncation 2022-11-26 09:24:36 +01:00
pci PCI: Sanitise firmware BAR assignments behind a PCI-PCI bridge 2022-10-26 12:34:24 +02:00
pcmcia pcmcia: db1xxx_ss: restrict to MIPS_DB1XXX boards 2022-06-14 18:36:02 +02:00
perf perf/arm_pmu_platform: fix tests for platform_get_irq() failure 2022-09-20 12:39:45 +02:00
phy phy: ralink: mt7621-pci: add sentinel to quirks table 2022-11-16 09:58:17 +01:00
pinctrl pinctrl: devicetree: fix null pointer dereferencing in pinctrl_dt_to_map 2022-11-26 09:24:36 +01:00
platform platform/surface: aggregator: Do not check for repeated unsequenced packets 2022-11-26 09:24:41 +01:00
pnp
power power: supply: adp5061: fix out-of-bounds read in adp5061_get_chg_type() 2022-10-26 12:35:47 +02:00
powercap powercap: intel_rapl: fix UBSAN shift-out-of-bounds issue 2022-10-26 12:35:30 +02:00
pps
ps3
ptp
pwm pwm: lpc18xx: Fix period handling 2022-08-17 14:23:16 +02:00
rapidio
ras
regulator regulator: core: Prevent integer underflow 2022-10-26 12:35:35 +02:00
remoteproc remoteproc: sysmon: Wait for SSCTL service to come up 2022-08-17 14:24:09 +02:00
reset reset: imx7: Fix the iMX8MP PCIe PHY PERST support 2022-10-05 10:39:40 +02:00
rpmsg rpmsg: qcom: glink: replace strncpy() with strscpy_pad() 2022-10-12 09:53:28 +02:00
rtc rtc: rx8025: fix 12/24 hour mode detection on RX-8035 2022-08-17 14:22:53 +02:00
s390 scsi: zfcp: Fix double free of FSF request when qdio send fails 2022-11-26 09:24:47 +01:00
sbus
scsi scsi: scsi_debug: Fix possible UAF in sdebug_add_host_helper() 2022-11-26 09:24:50 +01:00
sh
siox siox: fix possible memory leak in siox_device_add() 2022-11-26 09:24:36 +01:00
slimbus slimbus: stream: correct presence rate frequencies 2022-11-26 09:24:44 +01:00
soc soc: imx8m: Enable OCOTP clock before reading the register 2022-11-26 09:24:39 +01:00
soundwire soundwire: qcom: check for outanding writes before doing a read 2022-11-16 09:58:14 +01:00
spi spi: stm32: Print summary 'callbacks suppressed' message 2022-11-26 09:24:33 +01:00
spmi spmi: pmic-arb: correct duplicate APID to PPID mapping logic 2022-10-26 12:35:19 +02:00
ssb
staging media: meson: vdec: fix possible refcount leak in vdec_probe() 2022-11-10 18:15:34 +01:00
target scsi: target: tcm_loop: Fix possible name leak in tcm_loop_setup_hba_bus() 2022-11-26 09:24:49 +01:00
tc
tee tee: Fix tee_shm_register() for kernel TEE drivers 2022-11-10 18:15:42 +01:00
thermal thermal: intel_powerclamp: Use first online CPU as control_cpu 2022-10-26 12:35:56 +02:00
thunderbolt thunderbolt: Add DP OUT resource when DP tunnel is discovered 2022-11-16 09:58:13 +01:00
tty tty: serial: fsl_lpuart: don't break the on-going transfer when global reset 2022-12-02 17:40:59 +01:00
uio
usb usb: typec: mux: Enter safe mode only when pins need to be reconfigured 2022-11-26 09:24:45 +01:00
vdpa vdpa/ifcvf: fix the calculation of queuepair 2022-10-05 10:39:43 +02:00
vfio vfio/type1: Unpin zero pages 2022-09-15 11:30:02 +02:00
vhost vhost/vsock: Use kvmalloc/kvfree for larger packets. 2022-10-26 12:34:47 +02:00
video fbdev: stifb: Fall back to cfb_fillrect() on 32-bit HCRX cards 2022-11-10 18:15:32 +01:00
virt vboxguest: Do not use devm for irq 2022-08-25 11:40:33 +02:00
virtio virtio_mmio: Restore guest page size on resume 2022-07-21 21:24:33 +02:00
visorbus
vlynq
vme
w1
watchdog watchdog: armada_37xx_wdt: check the return value of devm_ioremap() in armada_37xx_wdt_probe() 2022-08-17 14:24:11 +02:00
xen xen/pcpu: fix possible memory leak in register_pcpu() 2022-11-26 09:24:40 +01:00
zorro
Kconfig
Makefile