On Mon, Aug 01, 2022 at 06:25:11PM +0000, Carlos Llamas wrote:
> A transaction of type BINDER_TYPE_WEAK_HANDLE can fail to increment the
> reference for a node. In this case, the target proc normally releases
> the failed reference upon close as expected. However, if the target is
> dying in parallel the call will race with binder_deferred_release(), so
> the target could have released all of its references by now leaving the
> cleanup of the new failed reference unhandled.
>
> The transaction then ends and the target proc gets released making the
> ref->proc now a dangling pointer. Later on, ref->node is closed and we
> attempt to take spin_lock(&ref->proc->inner_lock), which leads to the
> use-after-free bug reported below. Let's fix this by cleaning up the
> failed reference on the spot instead of relying on the target to do so.
>
> ==================================================================
> BUG: KASAN: use-after-free in _raw_spin_lock+0xa8/0x150
> Write of size 4 at addr ffff5ca207094238 by task kworker/1:0/590
>
> CPU: 1 PID: 590 Comm: kworker/1:0 Not tainted 5.19.0-rc8 #10
> Hardware name: linux,dummy-virt (DT)
> Workqueue: events binder_deferred_func
> Call trace:
> dump_backtrace.part.0+0x1d0/0x1e0
> show_stack+0x18/0x70
> dump_stack_lvl+0x68/0x84
> print_report+0x2e4/0x61c
> kasan_report+0xa4/0x110
> kasan_check_range+0xfc/0x1a4
> __kasan_check_write+0x3c/0x50
> _raw_spin_lock+0xa8/0x150
> binder_deferred_func+0x5e0/0x9b0
> process_one_work+0x38c/0x5f0
> worker_thread+0x9c/0x694
> kthread+0x188/0x190
> ret_from_fork+0x10/0x20
>
> Signed-off-by: Carlos Llamas <cmllamas@xxxxxxxxxx>
> ---
> drivers/android/binder.c | 12 ++++++++++++
> 1 file changed, 12 insertions(+)
>
> diff --git a/drivers/android/binder.c b/drivers/android/binder.c
> index 362c0deb65f1..9d42afe60180 100644
> --- a/drivers/android/binder.c
> +++ b/drivers/android/binder.c
> @@ -1361,6 +1361,18 @@ static int binder_inc_ref_for_node(struct binder_proc *proc,
> }
> ret = binder_inc_ref_olocked(ref, strong, target_list);
> *rdata = ref->data;
> + if (ret && ref == new_ref) {
> + /*
> + * Cleanup the failed reference here as the target
> + * could now be dead and have already released its
> + * references by now. Calling on the new reference
> + * with strong=0 and a tmp_refs will not decrement
> + * the node. The new_ref gets kfree'd below.
> + */
> + binder_cleanup_ref_olocked(new_ref);
> + ref = NULL;
> + }
> +
> binder_proc_unlock(proc);
> if (new_ref && ref != new_ref)
> /*
> --
> 2.37.1.455.g008518b4e5-goog
>
Sorry, I forgot to CC stable. This patch should be applied to all stable
kernels starting with 4.14 and higher.
Cc: stable@xxxxxxxxxxxxxxx # 4.14+
