ACK: [Disco][SRU][CVE-2019-2181][PATCH] binder: check for overflow when alloc for security context

Kleber Souza kleber.souza at canonical.com
Fri Sep 27 15:10:42 UTC 2019


On 26.09.19 21:14, Connor Kuehl wrote:
> From: Todd Kjos <tkjos at android.com>
> 
> CVE-2019-2181
> 
> When allocating space in the target buffer for the security context,
> make sure the extra_buffers_size doesn't overflow. This can only
> happen if the given size is invalid, but an overflow can turn it
> into a valid size. Fail the transaction if an overflow is detected.
> 
> Signed-off-by: Todd Kjos <tkjos at google.com>
> Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>
> (cherry picked from commit 0b0509508beff65c1d50541861bc0d4973487dc5)
> Signed-off-by: Connor Kuehl <connor.kuehl at canonical.com>

Clean cherry-pick.

Acked-by: Kleber Sacilotto de Souza <kleber.souza at canonical.com>

> ---
>  drivers/android/binder.c | 12 +++++++++++-
>  1 file changed, 11 insertions(+), 1 deletion(-)
> 
> diff --git a/drivers/android/binder.c b/drivers/android/binder.c
> index c620bf826f9c..d558e6ccbc1b 100644
> --- a/drivers/android/binder.c
> +++ b/drivers/android/binder.c
> @@ -3039,6 +3039,7 @@ static void binder_transaction(struct binder_proc *proc,
>  
>  	if (target_node && target_node->txn_security_ctx) {
>  		u32 secid;
> +		size_t added_size;
>  
>  		security_task_getsecid(proc->tsk, &secid);
>  		ret = security_secid_to_secctx(secid, &secctx, &secctx_sz);
> @@ -3048,7 +3049,15 @@ static void binder_transaction(struct binder_proc *proc,
>  			return_error_line = __LINE__;
>  			goto err_get_secctx_failed;
>  		}
> -		extra_buffers_size += ALIGN(secctx_sz, sizeof(u64));
> +		added_size = ALIGN(secctx_sz, sizeof(u64));
> +		extra_buffers_size += added_size;
> +		if (extra_buffers_size < added_size) {
> +			/* integer overflow of extra_buffers_size */
> +			return_error = BR_FAILED_REPLY;
> +			return_error_param = EINVAL;
> +			return_error_line = __LINE__;
> +			goto err_bad_extra_size;
> +		}
>  	}
>  
>  	trace_binder_transaction(reply, t, target_node);
> @@ -3349,6 +3358,7 @@ static void binder_transaction(struct binder_proc *proc,
>  	t->buffer->transaction = NULL;
>  	binder_alloc_free_buf(&target_proc->alloc, t->buffer);
>  err_binder_alloc_buf_failed:
> +err_bad_extra_size:
>  	if (secctx)
>  		security_release_secctx(secctx, secctx_sz);
>  err_get_secctx_failed:
> 




More information about the kernel-team mailing list