Revert "binder: fix UAF caused by faulty buffer cleanup"

This reverts commit e1e198eff1. It breaks the Android KABI and will be brought back at a later time when it is safe to do so. Bug: 161946584 Change-Id: I66f4d99f9adce21b7eb4a78cb6775f1df69a4343 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
2026-06-05 18:41:58 +09:00 · 2023-06-13 19:37:40 +00:00
parent 940f3dad8f
commit 9f67f4f500
1 changed files with 7 additions and 21 deletions
--- a/drivers/android/binder.c
+++ b/drivers/android/binder.c
@@ -2126,23 +2126,24 @@ static void binder_deferred_fd_close(int fd)
 static void binder_transaction_buffer_release(struct binder_proc *proc,
 					      struct binder_thread *thread,
 					      struct binder_buffer *buffer,
-					      binder_size_t off_end_offset,
+					      binder_size_t failed_at,
 					      bool is_failure)
 {
 	int debug_id = buffer->debug_id;
-	binder_size_t off_start_offset, buffer_offset;
+	binder_size_t off_start_offset, buffer_offset, off_end_offset;
 	binder_debug(BINDER_DEBUG_TRANSACTION,
 		     "%d buffer release %d, size %zd-%zd, failed at %llx\n",
 		     proc->pid, buffer->debug_id,
 		     buffer->data_size, buffer->offsets_size,
-		     (unsigned long long)off_end_offset);
+		     (unsigned long long)failed_at);
 	if (buffer->target_node)
 		binder_dec_node(buffer->target_node, 1, 0);
 	off_start_offset = ALIGN(buffer->data_size, sizeof(void *));
-
+	off_end_offset = is_failure && failed_at ? failed_at :
 				off_start_offset + buffer->offsets_size;
 	for (buffer_offset = off_start_offset; buffer_offset < off_end_offset;
 	     buffer_offset += sizeof(binder_size_t)) {
 		struct binder_object_header *hdr;
@@ -2302,21 +2303,6 @@ static void binder_transaction_buffer_release(struct binder_proc *proc,
 	}
 }
 /* Clean up all the objects in the buffer */
 static inline void binder_release_entire_buffer(struct binder_proc *proc,
 						struct binder_thread *thread,
 						struct binder_buffer *buffer,
 						bool is_failure)
 {
 	binder_size_t off_end_offset;
 	off_end_offset = ALIGN(buffer->data_size, sizeof(void *));
 	off_end_offset += buffer->offsets_size;
 	binder_transaction_buffer_release(proc, thread, buffer,
 					  off_end_offset, is_failure);
 }
 static int binder_translate_binder(struct flat_binder_object *fp,
 				   struct binder_transaction *t,
 				   struct binder_thread *thread)
@@ -3019,7 +3005,7 @@ static int binder_proc_transaction(struct binder_transaction *t,
 		t_outdated->buffer = NULL;
 		buffer->transaction = NULL;
 		trace_binder_transaction_update_buffer_release(buffer);
-		binder_release_entire_buffer(proc, NULL, buffer, false);
+		binder_transaction_buffer_release(proc, NULL, buffer, 0, 0);
 		binder_alloc_free_buf(&proc->alloc, buffer);
 		kfree(t_outdated);
 		binder_stats_deleted(BINDER_STAT_TRANSACTION);
@@ -4004,7 +3990,7 @@ binder_free_buf(struct binder_proc *proc,
 		binder_node_inner_unlock(buf_node);
 	}
 	trace_binder_transaction_buffer_release(buffer);
-	binder_release_entire_buffer(proc, thread, buffer, is_failure);
+	binder_transaction_buffer_release(proc, thread, buffer, 0, is_failure);
 	binder_alloc_free_buf(&proc->alloc, buffer);
 }