ANDROID: binder: Clear binder and cookie when setting handle in flat binder struct

CVE-2016-6689

Prevents leaking pointers between processes

BUG: 30768347

Change-Id: I0742878827d069940dbaef94a7d39824fc5d55b1
Tracked-On: https://jira01.devtools.intel.com/browse/AW-4089
Signed-off-by: Arve Hjønnevåg <arve@android.com>
Signed-off-by: Martijn Coenen <maco@android.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Reviewed-on: https://android.intel.com/567645
Reviewed-by: Louis, FabienX <fabienx.louis@intel.com>
Tested-by: Louis, FabienX <fabienx.louis@intel.com>
Reviewed-by: Dubray, SimonX <simonx.dubray@intel.com>
Reviewed-by: Deverge, Jean-francoisX <jean-francoisx.deverge@intel.com>
Reviewed-by: Tasayco Loarte, VictorX <victorx.tasayco.loarte@intel.com>

1 files changed, 5 insertions, 0 deletions

diff --git a/drivers/android/binder.c b/drivers/android/binder.c
index 57f52a2afa35..5fa5193c238b 100644
--- a/drivers/android/binder.c
+++ b/drivers/android/binder.c
@@ -1578,7 +1578,9 @@ static void binder_transaction(struct binder_proc *proc,
 				fp->type = BINDER_TYPE_HANDLE;
 			else
 				fp->type = BINDER_TYPE_WEAK_HANDLE;
+			fp->binder = 0;
 			fp->handle = ref->desc;
+			fp->cookie = 0;
 			binder_inc_ref(ref, fp->type == BINDER_TYPE_HANDLE,
 				       &thread->todo);
 
@@ -1625,7 +1627,9 @@ static void binder_transaction(struct binder_proc *proc,
 					return_error = BR_FAILED_REPLY;
 					goto err_binder_get_ref_for_node_failed;
 				}
+				fp->binder = 0;
 				fp->handle = new_ref->desc;
+				fp->cookie = 0;
 				binder_inc_ref(new_ref, fp->type == BINDER_TYPE_HANDLE, NULL);
 				trace_binder_transaction_ref_to_ref(t, ref,
 								    new_ref);
@@ -1679,6 +1683,7 @@ static void binder_transaction(struct binder_proc *proc,
 			binder_debug(BINDER_DEBUG_TRANSACTION,
 				     "        fd %d -> %d\n", fp->handle, target_fd);
 			/* TODO: fput? */
+			fp->binder = 0;
 			fp->handle = target_fd;
 		} break;