ANDROID: binder: Clear binder and cookie when setting handle in flat binder struct

Prevents leaking pointers between processes Signed-off-by: Arve Hjønnevåg <arve@android.com> Signed-off-by: Martijn Coenen <maco@android.com> Cc: stable <stable@vger.kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

ANDROID: binder: Clear binder and cookie when setting handle in flat binder struct
Prevents leaking pointers between processes Signed-off-by: Arve Hjønnevåg <arve@android.com> Signed-off-by: Martijn Coenen <maco@android.com> Cc: stable <stable@vger.kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Arve Hjønnevåg · Greg Kroah-Hartman
1 parent 0a3ffab93f
Showing 1 changed file with 5 additions and 0 deletions Side-by-side Diff
drivers/android/binder.c
@@ -1584,7 +1584,9 @@
 				fp->type = BINDER_TYPE_HANDLE;
 			else
 				fp->type = BINDER_TYPE_WEAK_HANDLE;
+			fp->binder = 0;
 			fp->handle = ref->desc;
+			fp->cookie = 0;
 			binder_inc_ref(ref, fp->type == BINDER_TYPE_HANDLE,
 				       &thread->todo);
  
  
@@ -1634,7 +1636,9 @@
 					return_error = BR_FAILED_REPLY;
 					goto err_binder_get_ref_for_node_failed;
 				}
+				fp->binder = 0;
 				fp->handle = new_ref->desc;
+				fp->cookie = 0;
 				binder_inc_ref(new_ref, fp->type == BINDER_TYPE_HANDLE, NULL);
 				trace_binder_transaction_ref_to_ref(t, ref,
 								    new_ref);
@@ -1688,6 +1692,7 @@
 			binder_debug(BINDER_DEBUG_TRANSACTION,
 				     "        fd %d -> %d\n", fp->handle, target_fd);
 			/* TODO: fput? */
+			fp->binder = 0;
 			fp->handle = target_fd;
 		} break;
...	...	@@ -1584,7 +1584,9 @@
1584	1584	fp->type = BINDER_TYPE_HANDLE;
1585	1585	else
1586	1586	fp->type = BINDER_TYPE_WEAK_HANDLE;
	1587	+ fp->binder = 0;
1587	1588	fp->handle = ref->desc;
	1589	+ fp->cookie = 0;
1588	1590	binder_inc_ref(ref, fp->type == BINDER_TYPE_HANDLE,
1589	1591	&thread->todo);
1590	1592
1591	1593
...	...	@@ -1634,7 +1636,9 @@
1634	1636	return_error = BR_FAILED_REPLY;
1635	1637	goto err_binder_get_ref_for_node_failed;
1636	1638	}
	1639	+ fp->binder = 0;
1637	1640	fp->handle = new_ref->desc;
	1641	+ fp->cookie = 0;
1638	1642	binder_inc_ref(new_ref, fp->type == BINDER_TYPE_HANDLE, NULL);
1639	1643	trace_binder_transaction_ref_to_ref(t, ref,
1640	1644	new_ref);
...	...	@@ -1688,6 +1692,7 @@
1688	1692	binder_debug(BINDER_DEBUG_TRANSACTION,
1689	1693	" fd %d -> %d\n", fp->handle, target_fd);
1690	1694	/* TODO: fput? */
	1695	+ fp->binder = 0;
1691	1696	fp->handle = target_fd;
1692	1697	} break;
1693	1698