commit | 502a526abc2b77975063ab74c9c5446190ea14e9 | [log] [tgz] |
---|---|---|
author | Todd Kjos <tkjos@google.com> | Mon Jun 10 09:14:25 2019 -0700 |
committer | Todd Kjos <tkjos@google.com> | Mon Nov 04 10:57:11 2019 -0800 |
tree | 7e0e25252eee337497df83f47d09759683196e9e | |
parent | 3fcf2711397454533fc3beabb71eef59f5247f2b [diff] |
binder: binder: fix possible UAF when freeing buffer There is a race between the binder driver cleaning up a completed transaction via binder_free_transaction() and a user calling binder_ioctl(BC_FREE_BUFFER) to release a buffer. It doesn't matter which is first but they need to be protected against running concurrently which can result in a UAF. Bug: 133758011 Change-Id: Ie1426ff3d00218d050d61ff77b333ddf8818b7c9 Signed-off-by: Todd Kjos <tkjos@google.com>