binder: protect against two threads freeing buffer

Adds protection against malicious user code freeing the same buffer at the same time which could cause a crash. Cannot happen under normal use. Bug: 36650912 Change-Id: I43e078cbf31c0789aaff5ceaf8f1a94c75f79d45 Test: tested manually Signed-off-by: Todd Kjos <tkjos@google.com>
2017-04-21 14:32:11 -07:00
parent 4ea3c9accb
commit eda5c2c85d
3 changed files with 20 additions and 7 deletions
--- a/drivers/android/binder.c
+++ b/drivers/android/binder.c
@@ -2613,8 +2613,8 @@ static int binder_thread_write(struct binder_proc *proc,
 				return -EFAULT;
 			ptr += sizeof(binder_uintptr_t);

-			buffer = binder_alloc_buffer_lookup(&proc->alloc,
-							    data_ptr);
+			buffer = binder_alloc_prepare_to_free(&proc->alloc,
+							      data_ptr);
 			if (buffer == NULL) {
 				binder_user_error("%d:%d BC_FREE_BUFFER u%016llx no match\n",
 					proc->pid, thread->pid, (u64)data_ptr);
--- a/drivers/android/binder_alloc.c
+++ b/drivers/android/binder_alloc.c
@@ -113,8 +113,8 @@ static void binder_insert_allocated_buffer(struct binder_alloc *alloc,
 	rb_insert_color(&new_buffer->rb_node, &alloc->allocated_buffers);
 }

-struct binder_buffer *binder_alloc_buffer_lookup(struct binder_alloc *alloc,
-						 uintptr_t user_ptr)
+struct binder_buffer *binder_alloc_prepare_to_free(struct binder_alloc *alloc,
+						   uintptr_t user_ptr)
 {
 	struct rb_node *n;
 	struct binder_buffer *buffer;
@@ -134,6 +134,17 @@ struct binder_buffer *binder_alloc_buffer_lookup(struct binder_alloc *alloc,
 		else if (kern_ptr > buffer)
 			n = n->rb_right;
 		else {
+			/*
+			 * Guard against user threads attempting to
+			 * free the buffer twice
+			 */
+			if (!buffer->free_in_progress) {
+				buffer->free_in_progress = 1;
+			} else {
+				pr_err("%d:%d FREE_BUFFER u%016llx user freed buffer twice\n",
+				       alloc->pid, current->pid, (u64)user_ptr);
+				buffer = NULL;
+			}
 			mutex_unlock(&alloc->mutex);
 			return buffer;
 		}
@@ -375,6 +386,7 @@ struct binder_buffer *binder_alloc_new_buf(struct binder_alloc *alloc,

 	rb_erase(best_fit, &alloc->free_buffers);
 	buffer->free = 0;
+	buffer->free_in_progress = 0;
 	binder_insert_allocated_buffer(alloc, buffer);
 	if (buffer_size != size) {
 		struct binder_buffer *new_buffer = (void *)buffer->data + size;
--- a/drivers/android/binder_alloc.h
+++ b/drivers/android/binder_alloc.h
@@ -36,7 +36,8 @@ struct binder_buffer {
 	unsigned free:1;
 	unsigned allow_user_free:1;
 	unsigned async_transaction:1;
-	unsigned debug_id:29;
+	unsigned free_in_progress:1;
+	unsigned debug_id:28;

 	struct binder_transaction *transaction;

@@ -72,8 +73,8 @@ extern struct binder_buffer *binder_alloc_new_buf(struct binder_alloc *alloc,
 extern void binder_alloc_init(struct binder_alloc *alloc);
 extern void binder_alloc_vma_close(struct binder_alloc *alloc);
 extern struct binder_buffer *
-binder_alloc_buffer_lookup(struct binder_alloc *alloc,
-			   uintptr_t user_ptr);
+binder_alloc_prepare_to_free(struct binder_alloc *alloc,
+			     uintptr_t user_ptr);
 extern void binder_alloc_free_buf(struct binder_alloc *alloc,
 				  struct binder_buffer *buffer);
 extern int binder_alloc_mmap_handler(struct binder_alloc *alloc,