Gitiles
Code Review Sign In
review.shift-gmbh.com / SHIFTPHONES / android_kernel_shift_sdm845 / dc734d732df47182993f8b90ea19ad3ff971a554
commitdc734d732df47182993f8b90ea19ad3ff971a554[log] [tgz]
authorTodd Kjos <tkjos@google.com>Mon Jun 10 09:14:25 2019 -0700
committerTodd Kjos <tkjos@google.com>Mon Nov 04 09:11:18 2019 -0800
tree942f39de6790129c6a5e4551dfb488a5496161e5
parent7dc56e310221922235e966603c0eb6113f9dc82d [diff]
binder: binder: fix possible UAF when freeing buffer

There is a race between the binder driver cleaning
up a completed transaction via binder_free_transaction()
and a user calling binder_ioctl(BC_FREE_BUFFER) to
release a buffer. It doesn't matter which is first but
they need to be protected against running concurrently
which can result in a UAF.

Bug: 133758011
Change-Id: Ie1426ff3d00218d050d61ff77b333ddf8818b7c9
Signed-off-by: Todd Kjos <tkjos@google.com>
1 file changed
tree: 942f39de6790129c6a5e4551dfb488a5496161e5
  1. arch/
  2. block/
  3. certs/
  4. crypto/
  5. Documentation/
  6. drivers/
  7. firmware/
  8. fs/
  9. include/
  10. init/
  11. ipc/
  12. kernel/
  13. lib/
  14. mm/
  15. net/
  16. samples/
  17. scripts/
  18. security/
  19. sound/
  20. tools/
  21. usr/
  22. virt/
  23. .cocciconfig
  24. .get_maintainer.ignore
  25. .gitattributes
  26. .gitignore
  27. .mailmap
  28. build.config.aarch64
  29. build.config.common
  30. build.config.cuttlefish.aarch64
  31. build.config.cuttlefish.x86_64
  32. build.config.goldfish.arm
  33. build.config.goldfish.arm64
  34. build.config.goldfish.mips
  35. build.config.goldfish.mips64
  36. build.config.goldfish.x86
  37. build.config.goldfish.x86_64
  38. build.config.x86_64
  39. COPYING
  40. CREDITS
  41. Kbuild
  42. Kconfig
  43. MAINTAINERS
  44. Makefile
  45. README
  46. REPORTING-BUGS
  47. verity_dev_keys.x509