Google Git
Sign in
android / kernel / common / refs/tags/ASB-2019-08-05_3.18
taga83d89352d61d9fe37cf5eb14ce514323b107323
taggerTodd Kjos <tkjos@google.com>Mon Aug 05 10:33:01 2019 -0700
object3f2494ff5ad4f755d698ed6fa91c7b24c4a7c6de 
https://source.android.com/security/bulletin/2019-08-01
commit3f2494ff5ad4f755d698ed6fa91c7b24c4a7c6de[log] [tgz]
authorTodd Kjos <tkjos@android.com>Wed Jun 12 13:29:27 2019 -0700
committerTodd Kjos <tkjos@google.com>Mon Aug 05 08:59:44 2019 -0700
tree8583bf950b14109e685e21dd0c3c6b30a47bfd81
parenta00cecdaef2e83258821321419609189bde08342 [diff]
binder: fix possible UAF when freeing buffer

commit a370003cc301d4361bae20c9ef615f89bf8d1e8a upstream

There is a race between the binder driver cleaning
up a completed transaction via binder_free_transaction()
and a user calling binder_ioctl(BC_FREE_BUFFER) to
release a buffer. It doesn't matter which is first but
they need to be protected against running concurrently
which can result in a UAF.

Signed-off-by: Todd Kjos <tkjos@google.com>
Cc: stable <stable@vger.kernel.org> # 4.14 4.19
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
1 file changed
tree: 8583bf950b14109e685e21dd0c3c6b30a47bfd81
  1. android/
  2. arch/
  3. block/
  4. crypto/
  5. Documentation/
  6. drivers/
  7. firmware/
  8. fs/
  9. include/
  10. init/
  11. ipc/
  12. kernel/
  13. lib/
  14. mm/
  15. net/
  16. samples/
  17. scripts/
  18. security/
  19. sound/
  20. tools/
  21. usr/
  22. virt/
  23. .gitignore
  24. .mailmap
  25. build.config.cuttlefish.x86_64
  26. COPYING
  27. CREDITS
  28. Kbuild
  29. Kconfig
  30. MAINTAINERS
  31. Makefile
  32. README
  33. REPORTING-BUGS
  34. verity_dev_keys.der.x509