06 Dec, 2018
1 commit
-
commit 7bada55ab50697861eee6bb7d60b41e68a961a9c upstream.
Malicious code can attempt to free buffers using the BC_FREE_BUFFER
ioctl to binder. There are protections against a user freeing a buffer
while in use by the kernel, however there was a window where
BC_FREE_BUFFER could be used to free a recently allocated buffer that
was not completely initialized. This resulted in a use-after-free
detected by KASAN with a malicious test program.This window is closed by setting the buffer's allow_user_free attribute
to 0 when the buffer is allocated or when the user has previously freed
it instead of waiting for the caller to set it. The problem was that
when the struct buffer was recycled, allow_user_free was stale and set
to 1 allowing a free to go through.Signed-off-by: Todd Kjos
Acked-by: Arve Hjønnevåg
Cc: stable # 4.14
Signed-off-by: Greg Kroah-Hartman
20 Sep, 2018
1 commit
-
commit da1b9564e85b1d7baf66cbfabcab27e183a1db63 upstream.
There is RaceFuzzer report like below because we have no lock to close
below the race between binder_mmap and binder_alloc_new_buf_locked.
To close the race, let's use memory barrier so that if someone see
alloc->vma is not NULL, alloc->vma_vm_mm should be never NULL.(I didn't add stable mark intentionallybecause standard android
userspace libraries that interact with binder (libbinder & libhwbinder)
prevent the mmap/ioctl race. - from Todd)"
Thread interleaving:
CPU0 (binder_alloc_mmap_handler) CPU1 (binder_alloc_new_buf_locked)
===== =====
// drivers/android/binder_alloc.c
// #L718 (v4.18-rc3)
alloc->vma = vma;
// drivers/android/binder_alloc.c
// #L346 (v4.18-rc3)
if (alloc->vma == NULL) {
...
// alloc->vma is not NULL at this point
return ERR_PTR(-ESRCH);
}
...
// #L438
binder_update_page_range(alloc, 0,
(void *)PAGE_ALIGN((uintptr_t)buffer->data),
end_page_addr);// In binder_update_page_range() #L218
// But still alloc->vma_vm_mm is NULL here
if (need_mm && mmget_not_zero(alloc->vma_vm_mm))
alloc->vma_vm_mm = vma->vm_mm;Crash Log:
==================================================================
BUG: KASAN: null-ptr-deref in __atomic_add_unless include/asm-generic/atomic-instrumented.h:89 [inline]
BUG: KASAN: null-ptr-deref in atomic_add_unless include/linux/atomic.h:533 [inline]
BUG: KASAN: null-ptr-deref in mmget_not_zero include/linux/sched/mm.h:75 [inline]
BUG: KASAN: null-ptr-deref in binder_update_page_range+0xece/0x18e0 drivers/android/binder_alloc.c:218
Write of size 4 at addr 0000000000000058 by task syz-executor0/11184CPU: 1 PID: 11184 Comm: syz-executor0 Not tainted 4.18.0-rc3 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.8.2-0-g33fbe13 by qemu-project.org 04/01/2014
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x16e/0x22c lib/dump_stack.c:113
kasan_report_error mm/kasan/report.c:352 [inline]
kasan_report+0x163/0x380 mm/kasan/report.c:412
check_memory_region_inline mm/kasan/kasan.c:260 [inline]
check_memory_region+0x140/0x1a0 mm/kasan/kasan.c:267
kasan_check_write+0x14/0x20 mm/kasan/kasan.c:278
__atomic_add_unless include/asm-generic/atomic-instrumented.h:89 [inline]
atomic_add_unless include/linux/atomic.h:533 [inline]
mmget_not_zero include/linux/sched/mm.h:75 [inline]
binder_update_page_range+0xece/0x18e0 drivers/android/binder_alloc.c:218
binder_alloc_new_buf_locked drivers/android/binder_alloc.c:443 [inline]
binder_alloc_new_buf+0x467/0xc30 drivers/android/binder_alloc.c:513
binder_transaction+0x125b/0x4fb0 drivers/android/binder.c:2957
binder_thread_write+0xc08/0x2770 drivers/android/binder.c:3528
binder_ioctl_write_read.isra.39+0x24f/0x8e0 drivers/android/binder.c:4456
binder_ioctl+0xa86/0xf34 drivers/android/binder.c:4596
vfs_ioctl fs/ioctl.c:46 [inline]
do_vfs_ioctl+0x154/0xd40 fs/ioctl.c:686
ksys_ioctl+0x94/0xb0 fs/ioctl.c:701
__do_sys_ioctl fs/ioctl.c:708 [inline]
__se_sys_ioctl fs/ioctl.c:706 [inline]
__x64_sys_ioctl+0x43/0x50 fs/ioctl.c:706
do_syscall_64+0x167/0x4b0 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x49/0xbe
"Signed-off-by: Todd Kjos
Signed-off-by: Minchan Kim
Reviewed-by: Martijn Coenen
Cc: stable
Signed-off-by: Greg Kroah-Hartman
Signed-off-by: Greg Kroah-Hartman
04 Feb, 2018
1 commit
-
commit aac6830ec1cb681544212838911cdc57f2638216 upstream.
VM_IOREMAP is used to access hardware through a mechanism called
I/O mapped memory. Android binder is a IPC machanism which will
not access I/O memory.And VM_IOREMAP has alignment requiement which may not needed in
binder.
__get_vm_area_node()
{
...
if (flags & VM_IOREMAP)
align = 1ul << clamp_t(int, fls_long(size),
PAGE_SHIFT, IOREMAP_MAX_ORDER);
...
}This patch will save some kernel vm area, especially for 32bit os.
In 32bit OS, kernel vm area is only 240MB. We may got below
error when launching a app:[ 4482.440053] binder_alloc: binder_alloc_mmap_handler: 15728 8ce67000-8cf65000 get_vm_area failed -12
[ 4483.218817] binder_alloc: binder_alloc_mmap_handler: 15745 8ce67000-8cf65000 get_vm_area failed -12Signed-off-by: Ganesh Mahendran
Acked-by: Martijn Coenen
Acked-by: Todd Kjos
Signed-off-by: Greg Kroah-Hartman
21 Oct, 2017
2 commits
-
Don't access next->data in kernel debug message when the
next buffer is null.Acked-by: Arve Hjønnevåg
Signed-off-by: Sherry Yang
Signed-off-by: Greg Kroah-Hartman -
Use binder_alloc struct's mm_struct rather than getting
a reference to the mm struct through get_task_mm to
avoid a potential deadlock between lru lock, task lock and
dentry lock, since a thread can be holding the task lock
and the dentry lock while trying to acquire the lru lock.Acked-by: Arve Hjønnevåg
Signed-off-by: Sherry Yang
Signed-off-by: Greg Kroah-Hartman
04 Oct, 2017
1 commit
-
Drop the global lru lock in isolate callback before calling
zap_page_range which calls cond_resched, and re-acquire the global lru
lock before returning. Also change return code to LRU_REMOVED_RETRY.Use mmput_async when fail to acquire mmap sem in an atomic context.
Fix "BUG: sleeping function called from invalid context"
errors when CONFIG_DEBUG_ATOMIC_SLEEP is enabled.Also restore mmput_async, which was initially introduced in commit
ec8d7c14ea14 ("mm, oom_reaper: do not mmput synchronously from the oom
reaper context"), and was removed in commit 212925802454 ("mm: oom: let
oom_reap_task and exit_mmap run concurrently").Link: http://lkml.kernel.org/r/20170914182231.90908-1-sherryy@android.com
Fixes: f2517eb76f1f2 ("android: binder: Add global lru shrinker to binder")
Signed-off-by: Sherry Yang
Signed-off-by: Greg Kroah-Hartman
Reported-by: Kyle Yan
Acked-by: Arve Hjønnevåg
Acked-by: Michal Hocko
Cc: Martijn Coenen
Cc: Todd Kjos
Cc: Riley Andrews
Cc: Ingo Molnar
Cc: Vlastimil Babka
Cc: Hillf Danton
Cc: Peter Zijlstra
Cc: Andrea Arcangeli
Cc: Thomas Gleixner
Cc: Andy Lutomirski
Cc: Oleg Nesterov
Cc: Hoeun Ryu
Cc: Christopher Lameter
Cc: Vegard Nossum
Cc: Frederic Weisbecker
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds
01 Sep, 2017
2 commits
-
Add the number of active, lru, and free pages for
each binder process in binder statsSigned-off-by: Sherry Yang
Signed-off-by: Greg Kroah-Hartman -
Fix crash introduced by 74310e06be4d74dcf67cd108366710dee5c576d5
(android: binder: Move buffer out of area shared with user space)
when close is called after open without mmap in between.Reported-by: kernel test robot
Fixes: 74310e06be4d ("android: binder: Move buffer out of area shared with user space")
Signed-off-by: Sherry Yang
Signed-off-by: Greg Kroah-Hartman
28 Aug, 2017
4 commits
-
Add tracepoints in binder transaction allocator to
record lru hits and alloc/free page.Signed-off-by: Sherry Yang
Signed-off-by: Greg Kroah-Hartman -
Hold on to the pages allocated and mapped for transaction
buffers until the system is under memory pressure. When
that happens, use linux shrinker to free pages. Without
using shrinker, patch "android: binder: Move buffer out
of area shared with user space" will cause a significant
slow down for small transactions that fit into the first
page because free list buffer header used to be inlined
with buffer data.In addition to prevent the performance regression for
small transactions, this patch improves the performance
for transactions that take up more than one page.Modify alloc selftest to work with the shrinker change.
Test: Run memory intensive applications (Chrome and Camera)
to trigger shrinker callbacks. Binder frees memory as expected.
Test: Run binderThroughputTest with high memory pressure
option enabled.Signed-off-by: Sherry Yang
Signed-off-by: Greg Kroah-Hartman -
Binder driver allocates buffer meta data in a region that is mapped
in user space. These meta data contain pointers in the kernel.This patch allocates buffer meta data on the kernel heap that is
not mapped in user space, and uses a pointer to refer to the data mapped.Signed-off-by: Sherry Yang
Signed-off-by: Greg Kroah-Hartman -
Use helper functions buffer_next and buffer_prev instead
of list_entry to get the next and previous buffers.Signed-off-by: Sherry Yang
Signed-off-by: Greg Kroah-Hartman
17 Jul, 2017
4 commits
-
Display information about allocated/free space whenever
binder buffer allocation fails on synchronous
transactions.Signed-off-by: Martijn Coenen
Signed-off-by: Siqi Lin
Signed-off-by: Greg Kroah-Hartman -
Adds protection against malicious user code freeing
the same buffer at the same time which could cause
a crash. Cannot happen under normal use.Signed-off-by: Todd Kjos
Signed-off-by: Greg Kroah-Hartman -
Add additional information to determine the cause of binder
failures. Adds the following to failed transaction log and
kernel messages:
return_error : value returned for transaction
return_error_param : errno returned by binder allocator
return_error_line : line number where error detectedAlso, return BR_DEAD_REPLY if an allocation error indicates
a dead proc (-ESRCH)Signed-off-by: Todd Kjos
Signed-off-by: Greg Kroah-Hartman -
Move the binder allocator functionality to its own file
Continuation of splitting the binder allocator from the binder
driver. Split binder_alloc functions from normal binder functions.Add kernel doc comments to functions declared extern in
binder_alloc.hSigned-off-by: Todd Kjos
Signed-off-by: Greg Kroah-Hartman