lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <aDIEqaNaLBChOlg9@google.com>
Date: Sat, 24 May 2025 17:40:57 +0000
From: Carlos Llamas <cmllamas@...gle.com>
To: syzbot <syzbot+4af454407ec393de51d6@...kaller.appspotmail.com>
Cc: arve@...roid.com, brauner@...nel.org, gregkh@...uxfoundation.org,
	joelagnelf@...dia.com, linux-kernel@...r.kernel.org,
	maco@...roid.com, surenb@...gle.com,
	syzkaller-bugs@...glegroups.com, tkjos@...roid.com
Subject: Re: [syzbot] [kernel?] KASAN: slab-use-after-free Write in
 binder_remove_device

On Sat, May 24, 2025 at 05:07:27AM -0700, syzbot wrote:
> Hello,
> 
> syzbot found the following issue on:
> 
> HEAD commit:    176e917e010c Add linux-next specific files for 20250523
> git tree:       linux-next
> console+strace: https://syzkaller.appspot.com/x/log.txt?x=1399a170580000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=e7902c752bef748
> dashboard link: https://syzkaller.appspot.com/bug?extid=4af454407ec393de51d6
> compiler:       Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6
> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=108b55f4580000
> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=1145e5f4580000
> 
> Downloadable assets:
> disk image: https://storage.googleapis.com/syzbot-assets/5f7692c642fa/disk-176e917e.raw.xz
> vmlinux: https://storage.googleapis.com/syzbot-assets/057a442d42d0/vmlinux-176e917e.xz
> kernel image: https://storage.googleapis.com/syzbot-assets/8f8ebdb4dd96/bzImage-176e917e.xz
> 
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+4af454407ec393de51d6@...kaller.appspotmail.com
> 

Oh, I know what is happening here. I believe these would be the steps:

  1. There are multiple devices in binder_devices.
  2. 'binder_proc' of device X dies but its release is deferred.
  3. binderfs is unmounted, decrements device X and waits.
  4. 'binder_proc' is released, kfree's the device without removing it
     from the binder_devices list first. Leaves dangling pointers.
  5. umount continues, releases next devices but list is corrupted.

This should fix the problem...

#syz test

diff --git a/drivers/android/binder.c b/drivers/android/binder.c
index 8d9c5f436fca..6be0f7ac7213 100644
--- a/drivers/android/binder.c
+++ b/drivers/android/binder.c
@@ -5246,6 +5246,7 @@ static void binder_free_proc(struct binder_proc *proc)
 			__func__, proc->outstanding_txns);
 	device = container_of(proc->context, struct binder_device, context);
 	if (refcount_dec_and_test(&device->ref)) {
+		binder_remove_device(device);
 		kfree(proc->context->name);
 		kfree(device);
 	}

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ

OSZAR »