diff options
| author |  Todd Kjos <tkjos@google.com>
| 2021-12-20 11:01:50 -0800 |
|---|---|---|
| committer |  Greg Kroah-Hartman <gregkh@linuxfoundation.org>
| 2021-12-21 11:07:34 +0100 |
| commit | cfd0d84ba28c18b531648c9d4a35ecca89ad9901 (patch) | |
| tree | f454a0353d54eff36b10533f10c54765fe2fd1cf /drivers/virt | |
| parent | Linux 5.16-rc5 (diff) | |
| download | linux-cfd0d84ba28c18b531648c9d4a35ecca89ad9901.tar.gz linux-cfd0d84ba28c18b531648c9d4a35ecca89ad9901.tar.bz2 linux-cfd0d84ba28c18b531648c9d4a35ecca89ad9901.zip | |
binder: fix async_free_space accounting for empty parcels
In 4.13, commit 74310e06be4d ("android: binder: Move buffer out of area shared with user space")
fixed a kernel structure visibility issue. As part of that patch,
sizeof(void *) was used as the buffer size for 0-length data payloads so
the driver could detect abusive clients sending 0-length asynchronous
transactions to a server by enforcing limits on async_free_size.
Unfortunately, on the "free" side, the accounting of async_free_space
did not add the sizeof(void *) back. The result was that up to 8-bytes of
async_free_space were leaked on every async transaction of 8-bytes or
less. These small transactions are uncommon, so this accounting issue
has gone undetected for several years.
The fix is to use "buffer_size" (the allocated buffer size) instead of
"size" (the logical buffer size) when updating the async_free_space
during the free operation. These are the same except for this
corner case of asynchronous transactions with payloads < 8 bytes.
Fixes: 74310e06be4d ("android: binder: Move buffer out of area shared with user space")
Signed-off-by: Todd Kjos <tkjos@google.com>
Cc: stable@vger.kernel.org # 4.14+
Link: https://lore.kernel.org/r/20211220190150.2107077-1-tkjos@google.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Diffstat (limited to 'drivers/virt')
0 files changed, 0 insertions, 0 deletions