Google Git
Sign in
android/kernel/common/20c8a0089294504692c17419fe67381689325d6d
commit
20c8a0089294504692c17419fe67381689325d6d
[log]
author
Chenbo Feng <fengc@google.com>
Tue Nov 28 18:22:11 2017 -0800
committer
Todd Kjos <tkjos@google.com>
Wed Feb 07 15:57:14 2018 -0800
tree
0d4ea6436b00d27d3eb603837bd52bcb218faaa3
parent
550c01d0e051461437d6e9d72f573759e7bc5047 [diff]
ANDROID: qtaguid: Fix the UAF probelm with tag_ref_tree

When multiple threads is trying to tag/delete the same socket at the
same time, there is a chance the tag_ref_entry of the target socket to
be null before the uid_tag_data entry is freed. It is caused by the
ctrl_cmd_tag function where it doesn't correctly grab the spinlocks
when tagging a socket.

Signed-off-by: Chenbo Feng <fengc@google.com>
Bug: 65853158
Change-Id: I5d89885918054cf835370a52bff2d693362ac5f0
1 file changed
tree: 0d4ea6436b00d27d3eb603837bd52bcb218faaa3
  1. arch/
  2. block/
  3. certs/
  4. crypto/
  5. Documentation/
  6. drivers/
  7. firmware/
  8. fs/
  9. include/
  10. init/
  11. ipc/
  12. kernel/
  13. lib/
  14. mm/
  15. net/
  16. samples/
  17. scripts/
  18. security/
  19. sound/
  20. tools/
  21. usr/
  22. virt/
  23. .cocciconfig
  24. .get_maintainer.ignore
  25. .gitattributes
  26. .gitignore
  27. .mailmap
  28. build.config.goldfish.arm
  29. build.config.goldfish.arm64
  30. build.config.goldfish.mips
  31. build.config.goldfish.mips64
  32. build.config.goldfish.x86
  33. build.config.goldfish.x86_64
  34. COPYING
  35. CREDITS
  36. Kbuild
  37. Kconfig
  38. MAINTAINERS
  39. Makefile
  40. README
  41. REPORTING-BUGS