tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

Merge tag 'char-misc-5.6-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc

Pull char/misc fixes from Greg KH:
"Here are four small char/misc driver fixes for reported issues for
5.6-rc5.

These fixes are:

- binder fix for a potential use-after-free problem found (took two
tries to get it right)

- interconnect core fix

- altera-stapl driver fix

All four of these have been in linux-next for a while with no reported
issues"

* tag 'char-misc-5.6-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc:
binder: prevent UAF for binderfs devices II
interconnect: Handle memory allocation errors
altera-stapl: altera_get_note: prevent write beyond end of 'key'
binder: prevent UAF for binderfs devices

Linus Torvalds 378fee2e b34e5c13

+31 -8
+9
drivers/android/binder.c
··· 5228 5228 binder_dev = container_of(filp->private_data, 5229 5229 struct binder_device, miscdev); 5230 5230 } 5231 + refcount_inc(&binder_dev->ref); 5231 5232 proc->context = &binder_dev->context; 5232 5233 binder_alloc_init(&proc->alloc); 5233 5234 ··· 5406 5405 static void binder_deferred_release(struct binder_proc *proc) 5407 5406 { 5408 5407 struct binder_context *context = proc->context; 5408 + struct binder_device *device; 5409 5409 struct rb_node *n; 5410 5410 int threads, nodes, incoming_refs, outgoing_refs, active_transactions; 5411 5411 ··· 5423 5421 context->binder_context_mgr_node = NULL; 5424 5422 } 5425 5423 mutex_unlock(&context->context_mgr_node_lock); 5424 + device = container_of(proc->context, struct binder_device, context); 5425 + if (refcount_dec_and_test(&device->ref)) { 5426 + kfree(context->name); 5427 + kfree(device); 5428 + } 5429 + proc->context = NULL; 5426 5430 binder_inner_proc_lock(proc); 5427 5431 /* 5428 5432 * Make sure proc stays alive after we ··· 6085 6077 binder_device->miscdev.minor = MISC_DYNAMIC_MINOR; 6086 6078 binder_device->miscdev.name = name; 6087 6079 6080 + refcount_set(&binder_device->ref, 1); 6088 6081 binder_device->context.binder_context_mgr_uid = INVALID_UID; 6089 6082 binder_device->context.name = name; 6090 6083 mutex_init(&binder_device->context.context_mgr_node_lock);
+2
drivers/android/binder_internal.h
··· 8 8 #include <linux/list.h> 9 9 #include <linux/miscdevice.h> 10 10 #include <linux/mutex.h> 11 + #include <linux/refcount.h> 11 12 #include <linux/stddef.h> 12 13 #include <linux/types.h> 13 14 #include <linux/uidgid.h> ··· 34 33 struct miscdevice miscdev; 35 34 struct binder_context context; 36 35 struct inode *binderfs_inode; 36 + refcount_t ref; 37 37 }; 38 38 39 39 /**
+5 -2
drivers/android/binderfs.c
··· 154 154 if (!name) 155 155 goto err; 156 156 157 + refcount_set(&device->ref, 1); 157 158 device->binderfs_inode = inode; 158 159 device->context.binder_context_mgr_uid = INVALID_UID; 159 160 device->context.name = name; ··· 258 257 ida_free(&binderfs_minors, device->miscdev.minor); 259 258 mutex_unlock(&binderfs_minors_mutex); 260 259 261 - kfree(device->context.name); 262 - kfree(device); 260 + if (refcount_dec_and_test(&device->ref)) { 261 + kfree(device->context.name); 262 + kfree(device); 263 + } 263 264 } 264 265 265 266 /**
+9
drivers/interconnect/core.c
··· 445 445 path->name = kasprintf(GFP_KERNEL, "%s-%s", 446 446 src_node->name, dst_node->name); 447 447 448 + if (!path->name) { 449 + kfree(path); 450 + return ERR_PTR(-ENOMEM); 451 + } 452 + 448 453 return path; 449 454 } 450 455 EXPORT_SYMBOL_GPL(of_icc_get); ··· 584 579 } 585 580 586 581 path->name = kasprintf(GFP_KERNEL, "%s-%s", src->name, dst->name); 582 + if (!path->name) { 583 + kfree(path); 584 + path = ERR_PTR(-ENOMEM); 585 + } 587 586 out: 588 587 mutex_unlock(&icc_lock); 589 588 return path;
+6 -6
drivers/misc/altera-stapl/altera.c
··· 2112 2112 return status; 2113 2113 } 2114 2114 2115 - static int altera_get_note(u8 *p, s32 program_size, 2116 - s32 *offset, char *key, char *value, int length) 2115 + static int altera_get_note(u8 *p, s32 program_size, s32 *offset, 2116 + char *key, char *value, int keylen, int vallen) 2117 2117 /* 2118 2118 * Gets key and value of NOTE fields in the JBC file. 2119 2119 * Can be called in two modes: if offset pointer is NULL, ··· 2170 2170 &p[note_table + (8 * i) + 4])]; 2171 2171 2172 2172 if (value != NULL) 2173 - strlcpy(value, value_ptr, length); 2173 + strlcpy(value, value_ptr, vallen); 2174 2174 2175 2175 } 2176 2176 } ··· 2189 2189 strlcpy(key, &p[note_strings + 2190 2190 get_unaligned_be32( 2191 2191 &p[note_table + (8 * i)])], 2192 - length); 2192 + keylen); 2193 2193 2194 2194 if (value != NULL) 2195 2195 strlcpy(value, &p[note_strings + 2196 2196 get_unaligned_be32( 2197 2197 &p[note_table + (8 * i) + 4])], 2198 - length); 2198 + vallen); 2199 2199 2200 2200 *offset = i + 1; 2201 2201 } ··· 2449 2449 __func__, (format_version == 2) ? "Jam STAPL" : 2450 2450 "pre-standardized Jam 1.1"); 2451 2451 while (altera_get_note((u8 *)fw->data, fw->size, 2452 - &offset, key, value, 256) == 0) 2452 + &offset, key, value, 32, 256) == 0) 2453 2453 printk(KERN_INFO "%s: NOTE \"%s\" = \"%s\"\n", 2454 2454 __func__, key, value); 2455 2455 }