binder: fix pointer cast warning

stable inclusion from stable-v5.10.157 commit 2e3c27f24173c6f3d799080da82126fa044a2f5e category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I6DKVG CVE: CVE-2023-20938 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=2e3c27f24173c6f3d799080da82126fa044a2f5e -------------------------------- commit 9a0a930f upstream. binder_uintptr_t is not the same as uintptr_t, so converting it into a pointer requires a second cast: drivers/android/binder.c: In function 'binder_translate_fd_array': drivers/android/binder.c:2511:28: error: cast to pointer from integer of different size [-Werror=int-to-pointer-cast] 2511 | sender_ufda_base = (void __user *)sender_uparent->buffer + fda->parent_offset; | ^ Fixes: 656e01f3 ("binder: read pre-translated fds from sender buffer") Acked-by: N Todd Kjos <tkjos@google.com> Acked-by: Randy Dunlap <rdunlap@infradead.org> # build-tested Acked-by: N Christian Brauner <christian.brauner@ubuntu.com> Signed-off-by: N Arnd Bergmann <arnd@arndb.de> Link: https://lore.kernel.org/r/20211207122448.1185769-1-arnd@kernel.orgSigned-off-by: N Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: N Carlos Llamas <cmllamas@google.com> Signed-off-by: N Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: N Li Huafei <lihuafei1@huawei.com> Reviewed-by: N Zheng Yejian <zhengyejian1@huawei.com> Reviewed-by: N Xiu Jianfeng <xiujianfeng@huawei.com> Signed-off-by: N Jialin Zhang <zhangjialin11@huawei.com>

binder: fix pointer cast warning
stable inclusion from stable-v5.10.157 commit 2e3c27f24173c6f3d799080da82126fa044a2f5e category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I6DKVG CVE: CVE-2023-20938 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=2e3c27f24173c6f3d799080da82126fa044a2f5e -------------------------------- commit 9a0a930f upstream. binder_uintptr_t is not the same as uintptr_t, so converting it into a pointer requires a second cast: drivers/android/binder.c: In function 'binder_translate_fd_array': drivers/android/binder.c:2511:28: error: cast to pointer from integer of different size [-Werror=int-to-pointer-cast] 2511 | sender_ufda_base = (void __user *)sender_uparent->buffer + fda->parent_offset; | ^ Fixes: 656e01f3 ("binder: read pre-translated fds from sender buffer") Acked-by: N Todd Kjos <tkjos@google.com> Acked-by: Randy Dunlap <rdunlap@infradead.org> # build-tested Acked-by: N Christian Brauner <christian.brauner@ubuntu.com> Signed-off-by: N Arnd Bergmann <arnd@arndb.de> Link: https://lore.kernel.org/r/20211207122448.1185769-1-arnd@kernel.orgSigned-off-by: N Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: N Carlos Llamas <cmllamas@google.com> Signed-off-by: N Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: N Li Huafei <lihuafei1@huawei.com> Reviewed-by: N Zheng Yejian <zhengyejian1@huawei.com> Reviewed-by: N Xiu Jianfeng <xiujianfeng@huawei.com> Signed-off-by: N Jialin Zhang <zhangjialin11@huawei.com>
dc4b7977 · Arnd Bergmann · Jialin Zhang · 14a215be · dc4b7977
隐藏空白更改
内联并排

Showing with 2 addition and 1 deletion

drivers/android/binder.c drivers/android/binder.c +2 -1

未找到文件。
--- a/drivers/android/binder.c
+++ b/drivers/android/binder.c
@@ -2908,7 +2908,8 @@ static int binder_translate_fd_array(struct list_head *pf_head,
 	 */
 	fda_offset = (parent->buffer - (uintptr_t)t->buffer->user_data) +
 		fda->parent_offset;
-	sender_ufda_base = (void __user *)sender_uparent->buffer + fda->parent_offset;
+	sender_ufda_base = (void __user *)(uintptr_t)sender_uparent->buffer +
+				fda->parent_offset;

 	if (!IS_ALIGNED((unsigned long)fda_offset, sizeof(u32)) ||
 	    !IS_ALIGNED((unsigned long)sender_ufda_base, sizeof(u32))) {