Google Git
Sign in
android / kernel / common / 502a526abc2b77975063ab74c9c5446190ea14e9
commit502a526abc2b77975063ab74c9c5446190ea14e9[log] [tgz]
authorTodd Kjos <tkjos@google.com>Mon Jun 10 09:14:25 2019 -0700
committerTodd Kjos <tkjos@google.com>Mon Nov 04 10:57:11 2019 -0800
tree7e0e25252eee337497df83f47d09759683196e9e
parent3fcf2711397454533fc3beabb71eef59f5247f2b [diff]
binder: binder: fix possible UAF when freeing buffer

There is a race between the binder driver cleaning
up a completed transaction via binder_free_transaction()
and a user calling binder_ioctl(BC_FREE_BUFFER) to
release a buffer. It doesn't matter which is first but
they need to be protected against running concurrently
which can result in a UAF.

Bug: 133758011
Change-Id: Ie1426ff3d00218d050d61ff77b333ddf8818b7c9
Signed-off-by: Todd Kjos <tkjos@google.com>
1 file changed
tree: 7e0e25252eee337497df83f47d09759683196e9e
  1. arch/
  2. block/
  3. certs/
  4. crypto/
  5. Documentation/
  6. drivers/
  7. firmware/
  8. fs/
  9. include/
  10. init/
  11. ipc/
  12. kernel/
  13. lib/
  14. mm/
  15. net/
  16. samples/
  17. scripts/
  18. security/
  19. sound/
  20. tools/
  21. usr/
  22. virt/
  23. .cocciconfig
  24. .get_maintainer.ignore
  25. .gitattributes
  26. .gitignore
  27. .mailmap
  28. build.config.cuttlefish.aarch64
  29. build.config.cuttlefish.x86_64
  30. build.config.goldfish.arm
  31. build.config.goldfish.arm64
  32. build.config.goldfish.mips
  33. build.config.goldfish.mips64
  34. build.config.goldfish.x86
  35. build.config.goldfish.x86_64
  36. COPYING
  37. CREDITS
  38. Kbuild
  39. Kconfig
  40. MAINTAINERS
  41. Makefile
  42. README
  43. REPORTING-BUGS
  44. verity_dev_keys.x509