Fix for CVE-2019-1999 not publicly available yet
UPSTREAM: binder: fix proc->files use-after-free
proc->files cleanup is initiated by binder_vma_close. Therefore
a reference on the binder_proc is not enough to prevent the
files_struct from being released while the binder_proc still has
a reference. This can lead to an attempt to dereference the
stale pointer obtained from proc->files prior to proc->files
cleanup. This has been seen once in task_get_unused_fd_flags()
when __alloc_fd() is called with a stale "files".
The fix is to protect proc->files with a mutex to prevent cleanup
while in use.
Signed-off-by: Todd Kjos <firstname.lastname@example.org>
Cc: stable <email@example.com> # 4.14
Signed-off-by: Greg Kroah-Hartman <firstname.lastname@example.org>
(cherry picked from commit 7f3dc0088b98533f17128058fac73cd8b2752ef1)
1 file changed