ANDROID: binder: prevent transactions into own process.

This can't happen with normal nodes (because you can't get a ref to a node you own), but it could happen with the context manager; to make the behavior consistent with regular nodes, reject transactions into the context manager by the process owning it. Reported-by: syzbot+09e05aba06723a94d43d@syzkaller.appspotmail.com Signed-off-by: N Martijn Coenen <maco@android.com> Cc: stable <stable@vger.kernel.org> Signed-off-by: N Greg Kroah-Hartman <gregkh@linuxfoundation.org>

ANDROID: binder: prevent transactions into own process.
This can't happen with normal nodes (because you can't get a ref to a node you own), but it could happen with the context manager; to make the behavior consistent with regular nodes, reject transactions into the context manager by the process owning it. Reported-by: syzbot+09e05aba06723a94d43d@syzkaller.appspotmail.com Signed-off-by: N Martijn Coenen <maco@android.com> Cc: stable <stable@vger.kernel.org> Signed-off-by: N Greg Kroah-Hartman <gregkh@linuxfoundation.org>
7aa135fc · Martijn Coenen · Greg Kroah-Hartman · 6d08b06e · 7aa135fc
隐藏空白更改
内联并排

Showing with 8 addition and 0 deletion

drivers/android/binder.c drivers/android/binder.c +8 -0

未找到文件。
--- a/drivers/android/binder.c
+++ b/drivers/android/binder.c
@@ -2839,6 +2839,14 @@ static void binder_transaction(struct binder_proc *proc,
 			else
 				return_error = BR_DEAD_REPLY;
 			mutex_unlock(&context->context_mgr_node_lock);
+			if (target_node && target_proc == proc) {
+				binder_user_error("%d:%d got transaction to context manager from process owning it\n",
+						  proc->pid, thread->pid);
+				return_error = BR_FAILED_REPLY;
+				return_error_param = -EINVAL;
+				return_error_line = __LINE__;
+				goto err_invalid_target_handle;
+			}
 		}
 		if (!target_node) {
 			/*