]> git.ipfire.org Git - thirdparty/kernel/linux.git/commitdiff
binder: cache secctx size before release zeroes it
authorChris Mason <clm@meta.com>
Wed, 3 Jun 2026 17:44:54 +0000 (10:44 -0700)
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Fri, 3 Jul 2026 10:26:32 +0000 (12:26 +0200)
binder_transaction() bounds the scatter-gather buffer area with
sg_buf_end_offset and subtracts the aligned LSM context size because
the secctx is written at the tail of that area.  The subtraction reads
lsmctx.len, but that field has already been cleared by the time the
line runs:

    security_secid_to_secctx(secid, &lsmctx)   /* lsmctx.len set */
    lsmctx_aligned_size = ALIGN(lsmctx.len, sizeof(u64))
    extra_buffers_size += lsmctx_aligned_size
    ...
    security_release_secctx(&lsmctx)            /* memset zeroes len */
    ...
    sg_buf_end_offset = sg_buf_offset + extra_buffers_size
                        - ALIGN(lsmctx.len, sizeof(u64)) /* ALIGN(0,8) */

security_release_secctx() does memset(cp, 0, sizeof(*cp)), so lsmctx.len
reads back as 0 and the subtraction contributes nothing, leaving
sg_buf_end_offset too large by the aligned secctx size on every
transaction to a txn_security_ctx node.

Each BINDER_TYPE_PTR object then derives buf_left = sg_buf_end_offset -
sg_buf_offset as the sole upper bound on its copy, so the inflated end
offset lets the copy run into the bytes that already hold the secctx.

The aligned size must therefore be cached before release rather than
re-read from the now-cleared field.  Fix by caching it in
lsmctx_aligned_size at function scope when it is first computed and
subtracting lsmctx_aligned_size instead of re-reading lsmctx.len after
release.  Reuse the same value for the earlier buf_offset computation.

Fixes: 6fba89813ccf ("lsm: ensure the correct LSM context releaser")
Cc: stable <stable@kernel.org>
Assisted-by: kres:claude-opus-4-8
Signed-off-by: Chris Mason <clm@meta.com>
Reviewed-by: Alice Ryhl <aliceryhl@google.com>
Acked-by: Carlos Llamas <cmllamas@google.com>
Link: https://patch.msgid.link/20260603174506.1957278-1-clm@meta.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
drivers/android/binder.c

index ec0ab4f285301452b1b90a2b3b43e2cc9893284e..c48c222642666535f42cc9ed620a92420adf144b 100644 (file)
@@ -3080,6 +3080,7 @@ static void binder_transaction(struct binder_proc *proc,
        int t_debug_id = atomic_inc_return(&binder_last_id);
        ktime_t t_start_time = ktime_get();
        struct lsm_context lsmctx = { };
+       size_t lsmctx_aligned_size = 0;
        LIST_HEAD(sgc_head);
        LIST_HEAD(pf_head);
        const void __user *user_buffer = (const void __user *)
@@ -3346,7 +3347,6 @@ static void binder_transaction(struct binder_proc *proc,
 
        if (target_node && target_node->txn_security_ctx) {
                u32 secid;
-               size_t added_size;
 
                security_cred_getsecid(proc->cred, &secid);
                ret = security_secid_to_secctx(secid, &lsmctx);
@@ -3358,9 +3358,9 @@ static void binder_transaction(struct binder_proc *proc,
                        return_error_line = __LINE__;
                        goto err_get_secctx_failed;
                }
-               added_size = ALIGN(lsmctx.len, sizeof(u64));
-               extra_buffers_size += added_size;
-               if (extra_buffers_size < added_size) {
+               lsmctx_aligned_size = ALIGN(lsmctx.len, sizeof(u64));
+               extra_buffers_size += lsmctx_aligned_size;
+               if (extra_buffers_size < lsmctx_aligned_size) {
                        binder_txn_error("%d:%d integer overflow of extra_buffers_size\n",
                                thread->pid, proc->pid);
                        return_error = BR_FAILED_REPLY;
@@ -3397,7 +3397,7 @@ static void binder_transaction(struct binder_proc *proc,
                size_t buf_offset = ALIGN(tr->data_size, sizeof(void *)) +
                                    ALIGN(tr->offsets_size, sizeof(void *)) +
                                    ALIGN(extra_buffers_size, sizeof(void *)) -
-                                   ALIGN(lsmctx.len, sizeof(u64));
+                                   lsmctx_aligned_size;
 
                t->security_ctx = t->buffer->user_data + buf_offset;
                err = binder_alloc_copy_to_buffer(&target_proc->alloc,
@@ -3452,7 +3452,7 @@ static void binder_transaction(struct binder_proc *proc,
        off_end_offset = off_start_offset + tr->offsets_size;
        sg_buf_offset = ALIGN(off_end_offset, sizeof(void *));
        sg_buf_end_offset = sg_buf_offset + extra_buffers_size -
-               ALIGN(lsmctx.len, sizeof(u64));
+               lsmctx_aligned_size;
        off_min = 0;
        for (buffer_offset = off_start_offset; buffer_offset < off_end_offset;
             buffer_offset += sizeof(binder_size_t)) {