microsoft
/
WSL2-Linux-Kernel
зеркало из https://github.com/microsoft/WSL2-Linux-Kernel.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность
WSL2-Linux-Kernel/drivers
История
Carlos Llamas eef79854a0 binder: fix UAF caused by offsets overwrite 
commit 4df153652cc46545722879415937582028c18af5 upstream.

Binder objects are processed and copied individually into the target
buffer during transactions. Any raw data in-between these objects is
copied as well. However, this raw data copy lacks an out-of-bounds
check. If the raw data exceeds the data section size then the copy
overwrites the offsets section. This eventually triggers an error that
attempts to unwind the processed objects. However, at this point the
offsets used to index these objects are now corrupted.

Unwinding with corrupted offsets can result in decrements of arbitrary
nodes and lead to their premature release. Other users of such nodes are
left with a dangling pointer triggering a use-after-free. This issue is
made evident by the following KASAN report (trimmed):

  ==================================================================
  BUG: KASAN: slab-use-after-free in _raw_spin_lock+0xe4/0x19c
  Write of size 4 at addr ffff47fc91598f04 by task binder-util/743

  CPU: 9 UID: 0 PID: 743 Comm: binder-util Not tainted 6.11.0-rc4 #1
  Hardware name: linux,dummy-virt (DT)
  Call trace:
   _raw_spin_lock+0xe4/0x19c
   binder_free_buf+0x128/0x434
   binder_thread_write+0x8a4/0x3260
   binder_ioctl+0x18f0/0x258c
  [...]

  Allocated by task 743:
   __kmalloc_cache_noprof+0x110/0x270
   binder_new_node+0x50/0x700
   binder_transaction+0x413c/0x6da8
   binder_thread_write+0x978/0x3260
   binder_ioctl+0x18f0/0x258c
  [...]

  Freed by task 745:
   kfree+0xbc/0x208
   binder_thread_read+0x1c5c/0x37d4
   binder_ioctl+0x16d8/0x258c
  [...]
  ==================================================================

To avoid this issue, let's check that the raw data copy is within the
boundaries of the data section.

Fixes: 6d98eb95b4 ("binder: avoid potential data leakage when copying txn")
Cc: Todd Kjos <tkjos@google.com>
Cc: stable@vger.kernel.org
Signed-off-by: Carlos Llamas <cmllamas@google.com>
Link: https://lore.kernel.org/r/20240822182353.2129600-1-cmllamas@google.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 		2024-09-12 11:07:51 +02:00
..
accessibility speakup: Fix sizeof() vs ARRAY_SIZE() bug 2024-06-16 13:39:11 +02:00
acpi ACPI: SBS: manage alarm sysfs attribute through psy core 2024-08-19 05:45:37 +02:00
amba
android binder: fix UAF caused by offsets overwrite 2024-09-12 11:07:51 +02:00
ata ata: pata_macio: Use WARN instead of BUG 2024-09-12 11:07:50 +02:00
atm atm: idt77252: prevent use after free in dequeue_rx() 2024-09-04 13:23:18 +02:00
auxdisplay
base devres: Initialize an uninitialized struct member 2024-09-12 11:07:48 +02:00
bcma
block rbd: don't assume RBD_LOCK_STATE_LOCKED for exclusive mappings 2024-08-19 05:45:22 +02:00
bluetooth Bluetooth: hci_ldisc: check HCI_UART_PROTO_READY flag in HCIUARTGETPROTO 2024-09-04 13:23:37 +02:00
bus bus: tegra-aconnect: Update dependency to ARCH_TEGRA 2024-03-26 18:21:19 -04:00
cdrom
char char: xillybus: Check USB endpoints when probing device 2024-09-04 13:23:15 +02:00
clk clk: qcom: clk-alpha-pll: Fix the trion pll postdiv set rate API 2024-09-12 11:07:44 +02:00
clocksource clocksource/drivers/arm_global_timer: Guard against division by zero 2024-09-04 13:23:25 +02:00
comedi comedi: vmk80xx: fix incomplete endpoint checking 2024-04-27 17:05:26 +02:00
connector
counter
cpufreq cpufreq: scmi: Avoid overflow of target_freq in fast switch 2024-09-12 11:07:41 +02:00
cpuidle cpuidle: Avoid potential overflow in integer multiplication 2024-04-13 13:01:43 +02:00
crypto crypto: hisilicon/sec - Fix memory leak for sec resource release 2024-07-05 09:14:24 +02:00
cxl
dax
dca
devfreq PM / devfreq: Synchronize devfreq_monitor_[start/stop] 2024-02-23 08:54:38 +01:00
dio
dma dmaengine: dw: Add memory bus width verification 2024-09-04 13:23:40 +02:00
dma-buf dma-buf/sw-sync: don't enable IRQ from sync_print_obj() 2024-06-16 13:39:49 +02:00
edac EDAC, i10nm: make skx_common.o a separate module 2024-08-19 05:44:49 +02:00
eisa
extcon extcon: max8997: select IRQ_DOMAIN instead of depending on it 2024-06-16 13:39:39 +02:00
firewire firewire: nosy: ensure user_length is taken into account when fetching packet contents 2024-05-17 11:51:01 +02:00
firmware firmware: turris-mox-rwtm: Initialize completion before mailbox 2024-08-19 05:44:55 +02:00
fpga fpga: region: add owner module and take its refcount 2024-06-16 13:39:38 +02:00
fsi
gnss
gpio gpiolib: of: add polarity quirk for TSC2005 2024-07-18 13:07:32 +02:00
gpu drm/amdgpu: Set no_hw_access when VF request full GPU fails 2024-09-12 11:07:48 +02:00
greybus greybus: Fix use-after-free bug in gb_interface_release due to race condition. 2024-07-05 09:14:23 +02:00
hid HID: amd_sfh: free driver_data after destroying hid device 2024-09-12 11:07:50 +02:00
hsi
hv
hwmon hwmon: (w83627ehf) Fix underflows seen when writing limit attributes 2024-09-12 11:07:48 +02:00
hwspinlock hwspinlock: Introduce hwspin_lock_bust() 2024-09-12 11:07:41 +02:00
hwtracing coresight: Fix ref leak when of_coresight_parse_endpoint() fails 2024-08-19 05:45:04 +02:00
i2c i2c: riic: avoid potential division by zero 2024-09-04 13:23:20 +02:00
i3c i3c: mipi-i3c-hci: Error out instead on BUG_ON() in IBI DMA setup 2024-09-12 11:07:49 +02:00
idle
iio iio: adc: ad7124: fix chip ID mismatch 2024-09-12 11:07:50 +02:00
infiniband RDMA/efa: Properly handle unexpected AQ completions 2024-09-12 11:07:41 +02:00
input Input: uinput - reject requests with unreasonable number of slots 2024-09-12 11:07:50 +02:00
interconnect Revert "interconnect: Teach lockdep about icc_bw_lock order" 2024-03-06 14:38:50 +00:00
iommu iommu/vt-d: Handle volatile descriptor status read 2024-09-12 11:07:48 +02:00
ipack
irqchip irqchip/armada-370-xp: Do not allow mapping IRQ 0 and 1 2024-09-12 11:07:45 +02:00
isdn mISDN: Fix a use after free in hfcmulti_tx() 2024-08-19 05:45:25 +02:00
leds leds: spi-byte: Call of_node_put() on error path 2024-09-12 11:07:46 +02:00
macintosh macintosh/therm_windtunnel: fix module unload. 2024-08-19 05:45:06 +02:00
mailbox mailbox: arm_mhuv2: Fix a bug for mhuv2_sender_interrupt 2024-02-23 08:54:50 +01:00
mcb
md dm init: Handle minors larger than 255 2024-09-12 11:07:47 +02:00
media media: qcom: camss: Add check for v4l2_fwnode_endpoint_parse 2024-09-12 11:07:46 +02:00
memory memory: stm32-fmc2-ebi: check regmap_read return value 2024-09-04 13:23:25 +02:00
memstick
message
mfd mfd: omap-usb-tll: Use struct_size to allocate tll 2024-08-19 05:45:03 +02:00
misc mei: demote client disconnect warning on suspend to debug 2024-07-27 10:46:10 +02:00
mmc mmc: cqhci: Fix checking of CQHCI_HALT state 2024-09-12 11:07:43 +02:00
most
mtd ubi: eba: properly rollback inside self_check_eba 2024-08-19 05:45:16 +02:00
mux
net usbnet: ipheth: race between ipheth_close and error handling 2024-09-12 11:07:50 +02:00
nfc nfc: pn533: Add poll mod list filling check 2024-09-04 13:23:40 +02:00
ntb NTB: fix possible name leak in ntb_register_device() 2024-03-26 18:21:28 -04:00
nubus
nvdimm
nvme nvme-pci: Add sleep quirk for Samsung 990 Evo 2024-09-12 11:07:43 +02:00
nvmem nvmem: core: only change name to fram for current attribute 2024-07-18 13:07:42 +02:00
of of/irq: Prevent device address out-of-bounds read in interrupt map walk 2024-09-12 11:07:50 +02:00
opp OPP: debugfs: Fix warning around icc_get_name() 2024-03-26 18:21:23 -04:00
parisc
parport dev/parport: fix the array out-of-bounds risk 2024-08-19 05:45:16 +02:00
pci PCI: Add missing bridge lock to pci_bus_lock() 2024-09-12 11:07:49 +02:00
pcmcia pcmcia: Use resource_size function on resource object 2024-09-12 11:07:46 +02:00
perf
phy phy: zynqmp: Enable reference clock correctly 2024-09-04 13:23:42 +02:00
pinctrl pinctrl: single: fix potential NULL dereference in pcs_get_function() 2024-09-04 13:23:37 +02:00
platform platform/x86: dell-smbios: Fix error path in dell_smbios_init() 2024-09-12 11:07:47 +02:00
pnp PNP: ACPI: fix fortify warning 2024-02-23 08:54:38 +01:00
power power: supply: axp288_charger: Round constant_charge_voltage writes down 2024-08-19 05:45:46 +02:00
powercap
pps
ps3
ptp ptp: fix integer overflow in max_vclocks_store 2024-07-05 09:14:31 +02:00
pwm pwm: stm32: Always do lazy disabling 2024-08-19 05:44:51 +02:00
rapidio
ras
regulator regulator: bd71815: fix ramp values 2024-07-05 09:14:33 +02:00
remoteproc remoteproc: imx_rproc: Fix refcount mistake in imx_rproc_addr_init 2024-08-19 05:45:30 +02:00
reset
rpmsg
rtc rtc: isl1208: Fix return value of nvmem callbacks 2024-08-19 05:45:20 +02:00
s390 bitmap: introduce generic optimized bitmap_size() 2024-09-04 13:23:16 +02:00
sbus
scsi scsi: aacraid: Fix double-free on probe failure 2024-09-04 13:23:42 +02:00
sh
siox
slimbus slimbus: qcom-ngd-ctrl: Add timeout for wait operation 2024-05-17 11:51:04 +02:00
soc soc: qcom: cmd-db: Map shared memory as WC, not WB 2024-09-04 13:23:40 +02:00
soundwire soundwire: stream: fix programming slave ports for non-continous port maps 2024-09-04 13:23:39 +02:00
spi spi: spi-fsl-lpspi: Fix scldiv calculation 2024-08-19 05:45:42 +02:00
spmi spmi: hisi-spmi-controller: Do not override device identifier 2024-07-05 09:14:20 +02:00
ssb ssb: Fix division by zero issue in ssb_calc_clock_rate 2024-09-04 13:23:20 +02:00
staging staging: iio: frequency: ad9834: Validate frequency parameter value 2024-09-12 11:07:50 +02:00
target scsi: target: Fix SELinux error when systemd-modules loads the target module 2024-05-17 11:50:54 +02:00
tc
tee tee: optee: Fix kernel panic caused by incorrect error handling 2024-04-10 16:18:46 +02:00
thermal thermal/drivers/qcom/lmh: Check for SCM availability at probe 2024-06-16 13:39:55 +02:00
thunderbolt thunderbolt: Mark XDomain as unplugged when router is removed 2024-09-04 13:23:15 +02:00
tty serial: core: check uartclk for zero to avoid divide by zero 2024-08-19 05:45:46 +02:00
uio
usb usb: dwc3: core: update LC timer as per USB Spec V3.2 2024-09-12 11:07:51 +02:00
vdpa vduse: Temporarily fail if control queue feature requested 2024-07-05 09:14:42 +02:00
vfio vfio/fsl-mc: Block calling interrupt handler without trigger 2024-04-10 16:19:30 +02:00
vhost vhost-vdpa: switch to use vmf_insert_pfn() in the fault handler 2024-08-19 05:45:44 +02:00
video fbdev: savage: Handle err return when savagefb_check_var failed 2024-06-16 13:39:57 +02:00
virt drivers/virt/acrn: fix PFNMAP PTE checks in acrn_vm_ram_map() 2024-06-16 13:39:32 +02:00
virtio virtio: delete vq in vp_find_vqs_msix() when request_irq() fails 2024-06-16 13:39:47 +02:00
visorbus
vlynq
vme
w1
watchdog watchdog: rti_wdt: Set min_hw_heartbeat_ms to accommodate a safety margin 2024-06-16 13:39:59 +02:00
xen xen/events: close evtchn after mapping cleanup 2024-04-10 16:18:46 +02:00
zorro
Kconfig
Makefile