• Todd Kjos's avatar
    binder: fix async_free_space accounting for empty parcels · cfd0d84b
    Todd Kjos authored
    In 4.13, commit 74310e06 ("android: binder: Move buffer out of area shared with user space")
    fixed a kernel structure visibility issue. As part of that patch,
    sizeof(void *) was used as the buffer size for 0-length data payloads so
    the driver could detect abusive clients sending 0-length asynchronous
    transactions to a server by enforcing limits on async_free_size.
    
    Unfortunately, on the "free" side, the accounting of async_free_space
    did not add the sizeof(void *) back. The result was that up to 8-bytes of
    async_free_space were leaked on every async transaction of 8-bytes or
    less.  These small transactions are uncommon, so this accounting issue
    has gone undetected for several years.
    
    The fix is to use "buffer_size" (the allocated buffer size) instead of
    "size" (the logical buffer size) when updating the async_free_space
    during the free operation. These are the same except for this
    corner case of asynchronous transactions with payloads < 8 bytes.
    
    Fixes: 74310e06 ("android: binder: Move buffer out of area shared with user space")
    Signed-off-by: default avatarTodd Kjos <tkjos@google.com>
    Cc: stable@vger.kernel.org # 4.14+
    Link: https://lore.kernel.org/r/20211220190150.2107077-1-tkjos@google.comSigned-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
    cfd0d84b
binder_alloc.c 35 KB