From 2c36fa484bb97f4bc9bf6250d795340eb8b9e39e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Arve=20Hj=C3=B8nnev=C3=A5g?= Date: Thu, 9 Feb 2017 18:24:45 +0100 Subject: ANDROID: binder: Clear binder and cookie when setting handle in flat binder struct MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit CVE-2016-6689 Prevents leaking pointers between processes BUG: 30768347 Change-Id: I0742878827d069940dbaef94a7d39824fc5d55b1 Tracked-On: https://jira01.devtools.intel.com/browse/AW-4089 Signed-off-by: Arve Hjønnevåg Signed-off-by: Martijn Coenen Signed-off-by: Greg Kroah-Hartman Reviewed-on: https://android.intel.com/567645 Reviewed-by: Louis, FabienX Tested-by: Louis, FabienX Reviewed-by: Dubray, SimonX Reviewed-by: Deverge, Jean-francoisX Reviewed-by: Tasayco Loarte, VictorX --- drivers/android/binder.c | 5 +++++ 1 file changed, 5 insertions(+) (limited to 'drivers') diff --git a/drivers/android/binder.c b/drivers/android/binder.c index 57f52a2afa35..5fa5193c238b 100644 --- a/drivers/android/binder.c +++ b/drivers/android/binder.c @@ -1578,7 +1578,9 @@ static void binder_transaction(struct binder_proc *proc, fp->type = BINDER_TYPE_HANDLE; else fp->type = BINDER_TYPE_WEAK_HANDLE; + fp->binder = 0; fp->handle = ref->desc; + fp->cookie = 0; binder_inc_ref(ref, fp->type == BINDER_TYPE_HANDLE, &thread->todo); @@ -1625,7 +1627,9 @@ static void binder_transaction(struct binder_proc *proc, return_error = BR_FAILED_REPLY; goto err_binder_get_ref_for_node_failed; } + fp->binder = 0; fp->handle = new_ref->desc; + fp->cookie = 0; binder_inc_ref(new_ref, fp->type == BINDER_TYPE_HANDLE, NULL); trace_binder_transaction_ref_to_ref(t, ref, new_ref); @@ -1679,6 +1683,7 @@ static void binder_transaction(struct binder_proc *proc, binder_debug(BINDER_DEBUG_TRANSACTION, " fd %d -> %d\n", fp->handle, target_fd); /* TODO: fput? */ + fp->binder = 0; fp->handle = target_fd; } break; -- cgit v1.2.3