Home Home > GIT Browse > stable
summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJiri Slaby <jslaby@suse.cz>2019-07-14 11:33:41 +0200
committerJiri Slaby <jslaby@suse.cz>2019-07-14 11:33:52 +0200
commite6e4ac402cd7cb377779b82e34946c4dfeb32d4c (patch)
tree77b9148fff30007f2625feba3b74c8833af983a8
parentaaff17cc4be4a9be8ae570f39c3afe1445630078 (diff)
binder: fix memory leak in error path (bnc#1012628).
-rw-r--r--patches.kernel.org/5.2.1-041-binder-fix-memory-leak-in-error-path.patch48
-rw-r--r--series.conf1
2 files changed, 49 insertions, 0 deletions
diff --git a/patches.kernel.org/5.2.1-041-binder-fix-memory-leak-in-error-path.patch b/patches.kernel.org/5.2.1-041-binder-fix-memory-leak-in-error-path.patch
new file mode 100644
index 0000000000..2e3e5bcdf3
--- /dev/null
+++ b/patches.kernel.org/5.2.1-041-binder-fix-memory-leak-in-error-path.patch
@@ -0,0 +1,48 @@
+From: Todd Kjos <tkjos@android.com>
+Date: Fri, 21 Jun 2019 10:54:15 -0700
+Subject: [PATCH] binder: fix memory leak in error path
+References: bnc#1012628
+Patch-mainline: 5.2.1
+Git-commit: 1909a671dbc3606685b1daf8b22a16f65ea7edda
+
+commit 1909a671dbc3606685b1daf8b22a16f65ea7edda upstream.
+
+syzkallar found a 32-byte memory leak in a rarely executed error
+case. The transaction complete work item was not freed if put_user()
+failed when writing the BR_TRANSACTION_COMPLETE to the user command
+buffer. Fixed by freeing it before put_user() is called.
+
+Reported-by: syzbot+182ce46596c3f2e1eb24@syzkaller.appspotmail.com
+Signed-off-by: Todd Kjos <tkjos@google.com>
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/android/binder.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/android/binder.c b/drivers/android/binder.c
+index bc26b5511f0a..8bf039fdeb91 100644
+--- a/drivers/android/binder.c
++++ b/drivers/android/binder.c
+@@ -4268,6 +4268,8 @@ static int binder_thread_read(struct binder_proc *proc,
+ case BINDER_WORK_TRANSACTION_COMPLETE: {
+ binder_inner_proc_unlock(proc);
+ cmd = BR_TRANSACTION_COMPLETE;
++ kfree(w);
++ binder_stats_deleted(BINDER_STAT_TRANSACTION_COMPLETE);
+ if (put_user(cmd, (uint32_t __user *)ptr))
+ return -EFAULT;
+ ptr += sizeof(uint32_t);
+@@ -4276,8 +4278,6 @@ static int binder_thread_read(struct binder_proc *proc,
+ binder_debug(BINDER_DEBUG_TRANSACTION_COMPLETE,
+ "%d:%d BR_TRANSACTION_COMPLETE\n",
+ proc->pid, thread->pid);
+- kfree(w);
+- binder_stats_deleted(BINDER_STAT_TRANSACTION_COMPLETE);
+ } break;
+ case BINDER_WORK_NODE: {
+ struct binder_node *node = container_of(w, struct binder_node, work);
+--
+2.22.0
+
diff --git a/series.conf b/series.conf
index 29f747d13d..2eb2720a44 100644
--- a/series.conf
+++ b/series.conf
@@ -67,6 +67,7 @@
patches.kernel.org/5.2.1-038-staging-mt7621-pci-fix-PCIE_FTS_NUM_LO-macro.patch
patches.kernel.org/5.2.1-039-HID-Add-another-Primax-PIXART-OEM-mouse-quirk.patch
patches.kernel.org/5.2.1-040-lkdtm-support-llvm-objcopy.patch
+ patches.kernel.org/5.2.1-041-binder-fix-memory-leak-in-error-path.patch
########################################################
# Build fixes that apply to the vanilla kernel too.