binder: avoid potential data leakage when copying txn
stable inclusion from stable-v5.10.157 commit 23e9d815fad84c1bee3742a8de4bd39510435362 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I6DKVG CVE: CVE-2023-20938 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=23e9d815fad84c1bee3742a8de4bd39510435362 -------------------------------- commit 6d98eb95 upstream. Transactions are copied from the sender to the target first and objects like BINDER_TYPE_PTR and BINDER_TYPE_FDA are then fixed up. This means there is a short period where the sender's version of these objects are visible to the target prior to the fixups. Instead of copying all of the data first, copy data only after any needed fixups have been applied. Fixes: 457b9a6f ("Staging: android: add binder driver") Reviewed-by: NMartijn Coenen <maco@android.com> Acked-by: NChristian Brauner <christian.brauner@ubuntu.com> Signed-off-by: NTodd Kjos <tkjos@google.com> Link: https://lore.kernel.org/r/20211130185152.437403-3-tkjos@google.comSigned-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org> [cmllamas: fix trivial merge conflict] Signed-off-by: NCarlos Llamas <cmllamas@google.com> Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: NLi Huafei <lihuafei1@huawei.com> Reviewed-by: NZheng Yejian <zhengyejian1@huawei.com> Reviewed-by: NXiu Jianfeng <xiujianfeng@huawei.com> Signed-off-by: NJialin Zhang <zhangjialin11@huawei.com>
Showing
想要评论请 注册 或 登录