From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id AB20BC7EE23 for ; Thu, 18 May 2023 17:04:54 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 291AD900004; Thu, 18 May 2023 13:04:54 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 21B71900003; Thu, 18 May 2023 13:04:54 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 0BC3C900004; Thu, 18 May 2023 13:04:54 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0011.hostedemail.com [216.40.44.11]) by kanga.kvack.org (Postfix) with ESMTP id ED9A8900003 for ; Thu, 18 May 2023 13:04:53 -0400 (EDT) Received: from smtpin02.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay04.hostedemail.com (Postfix) with ESMTP id B26D01A0317 for ; Thu, 18 May 2023 17:04:53 +0000 (UTC) X-FDA: 80804000466.02.2BED0EE Received: from mail-pf1-f173.google.com (mail-pf1-f173.google.com [209.85.210.173]) by imf13.hostedemail.com (Postfix) with ESMTP id B753A20005 for ; Thu, 18 May 2023 17:03:43 +0000 (UTC) Authentication-Results: imf13.hostedemail.com; dkim=pass header.d=google.com header.s=20221208 header.b=jS12OWi3; dmarc=pass (policy=reject) header.from=google.com; spf=pass (imf13.hostedemail.com: domain of cmllamas@google.com designates 209.85.210.173 as permitted sender) smtp.mailfrom=cmllamas@google.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1684429423; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=mFceaARxyb9W7/v+8bZC590WjVR8FWQcW9h7CPg1Wo8=; b=ZQJY2Eo8I00SVlJlnmoz9fLdE9Co5jWXU28tI5vUmBZ/OjAYuOt0y7gNVU9l+nY1LCbEIV mrDg3tNWI/vEDSLNepm+/3b+tRAgIqgXp4SU/xxQI64slBsMyg/4D25Wicc+hyMJFC46Wj kfdzmXJF++gUzoRvB/P3dUsc9pb2Jzs= ARC-Authentication-Results: i=1; imf13.hostedemail.com; dkim=pass header.d=google.com header.s=20221208 header.b=jS12OWi3; dmarc=pass (policy=reject) header.from=google.com; spf=pass (imf13.hostedemail.com: domain of cmllamas@google.com designates 209.85.210.173 as permitted sender) smtp.mailfrom=cmllamas@google.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1684429423; a=rsa-sha256; cv=none; b=UAnq1ifESw2++VVamEC8fu1z85pi1/LFdJxLsUDhBraoL1Prq9Jxdv7nQtVs3cNa68kOLc tZu++ymaJszc9JVB74iJe4nd6mJTj6KVjBfzj+HXtdogS3SWVouOXiWwWTwywMKsMRsNKH VNsDjOEwMGAcyz80VYlv5p9qqzokHQw= Received: by mail-pf1-f173.google.com with SMTP id d2e1a72fcca58-64d2ca9ef0cso144210b3a.1 for ; Thu, 18 May 2023 10:03:43 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20221208; t=1684429422; x=1687021422; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:to:from:date:from:to:cc:subject:date:message-id:reply-to; bh=mFceaARxyb9W7/v+8bZC590WjVR8FWQcW9h7CPg1Wo8=; b=jS12OWi3qESMpy5AC91I/uif4oFEdwkFofQ6bGm9PloqZh/38edoj0eqxssU5uRZHV QK8LlzgvmSOAIopR4VHtA+XcWn5KxC7jSxvY6GYKTvu0NLbJE/ffSvLihbUYAOia13/t qhjRJ84BQVZ62rzpMV8v3sIfUsQtsCnBxOdVNxi6xMw8VFHQg2Tw5GPGpy3/21d3Va1O H+W4Szq1rm6dIMN8qwWrvnyAvnWuUFCM//mYxF+KeDKY2YPQPJqtjH9keX5S8dR3LtRA csxTVdsnS2v9Ll2j4kaZDCScza6FNIerqCCfSbRXB7/hmHxR8VT5R7mY7LYK8dB1mb2s A/QQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1684429422; x=1687021422; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:to:from:date:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=mFceaARxyb9W7/v+8bZC590WjVR8FWQcW9h7CPg1Wo8=; b=g/MLEACBFVxYE43UWRu5xbeLcw8mGQCJsizGp21CIHcgUgVAWVJvw9QSLlTCYJl020 VnnnPna+CCGWNK11pBaUBb8Ui5h8yyfevleMl91SxL23XwMi5xMyaCw5nO3XISXwVkOL kc00TsNt2qCG4w/PN4uaGJDEVmkbt2FZ8x+XVlODtetXkhnng/k0sI+8vFivz/56RcTb cleHvmkBnOq24Ikyd1P5OBYwgNe6mtLl1yCH0k6IIHAgSZQOrpmlpT1nPynOucQGIve2 6pdFypAL+2P0bxWBg2TdPtiw9aNBI9C6fBAK8yHWSY4si3oeSXQUP26IdLR/xd0hJMfl oB0A== X-Gm-Message-State: AC+VfDys7u9puEoPJBht40okzFSaU/u+9LAhx0YQJ9w8gLwvqb+VXHjf Ry3Tmn0EkrXF3Fn7Ze4Pmqrgpw== X-Google-Smtp-Source: ACHHUZ4tyztPHVx6beTRkxTFviBuW6zoOlvhkbBy7z8/t6upoKovKWcp6afnjSKhu0KcCkiZItZHXw== X-Received: by 2002:a05:6a20:8425:b0:101:962b:8dc5 with SMTP id c37-20020a056a20842500b00101962b8dc5mr475983pzd.36.1684429421872; Thu, 18 May 2023 10:03:41 -0700 (PDT) Received: from google.com (157.214.185.35.bc.googleusercontent.com. [35.185.214.157]) by smtp.gmail.com with ESMTPSA id e21-20020a62ee15000000b0062cf75a9e6bsm1555954pfi.131.2023.05.18.10.03.40 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 18 May 2023 10:03:41 -0700 (PDT) Date: Thu, 18 May 2023 17:03:36 +0000 From: Carlos Llamas To: "Liam R. Howlett" , Greg Kroah-Hartman , Arve =?iso-8859-1?B?SGr4bm5lduVn?= , Todd Kjos , Martijn Coenen , Joel Fernandes , Christian Brauner , Suren Baghdasaryan , linux-kernel@vger.kernel.org, kernel-team@android.com, linux-mm@kvack.org Subject: Re: [RFC PATCH 2/3] Revert "android: binder: stop saving a pointer to the VMA" Message-ID: References: <20230424205548.1935192-1-cmllamas@google.com> <20230424205548.1935192-2-cmllamas@google.com> <20230424223419.6n2z72mocgmcj3aw@revolver> <20230425014328.d6vvimziv6je5xdg@revolver> <20230518144052.xkj6vmddccq4v66b@revolver> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20230518144052.xkj6vmddccq4v66b@revolver> X-Rspamd-Server: rspam09 X-Rspamd-Queue-Id: B753A20005 X-Stat-Signature: 34himy1g3ntaupo5sutojk9pkzxyqxf4 X-Rspam-User: X-HE-Tag: 1684429423-985917 X-HE-Meta: U2FsdGVkX18flGeepUfE/28ZnFhcog/P2hwpYpLUhV5L6xZV2lSw/dDuxwfnlq+L3yjqYdF51sLlRSieZqmLQxJ2anjZDpXdptl9TEHPwbFJnVHyuL1I/7zvDen0zKOCPzITJ978x9RFBzFtiJY103433+n+JgdmbgXCActrZ481YSO2NFJzdjyJQF/DWsUWTXoBVYWr3L2InH+dmfzWZgGXqnuC+kAs7plYzBK0BWEPZT+iCDCz2EkxFu8wEzq1o3/U6/1Q0KYszploeY2rdFztgZ63Ki5nCoaC25I64gqO37capIcsGKOJQ8IOWE4DWoQehhrROyjzzXqHBurTlAh1jI44OBerrEfiwCMP29SXaeio+w6J8bmCLb7e8lk7AwkbF+3YN8hskE2/74GpylUxZ6xibLLEwBkqVkmy7L/yCSe8TXP/zWtfN0Vfyh7tzoRpt/748tQQbmZ0ZXYmvmvfsidfN3XhB+wRH5TkWuhx2VvoCy+z5Cjl0/gFMhZfD9dwG7JvvVtjb3oj+7KaNfg1AqAsxZ2DNNxMgE0EzoB0nn4SeXL4ryEdqNFErlxhaO37MdmgTGV7ujfVwJJJDmgP3NVbABJCIZ6cbtwr45N1Sf3T3w7XqGd6Fc9ewOTCXc7WYvidtntEdrQl4yxVgk7bC88SF4K+8X2OHC/mfBFD9WB4g8H19su5phLhsdDiGUBsXSWmJvAVcf7xKs4c3OUfMHMVM5JY1YKbVVYDkNhO1/wNabea9ANSJVdsXb5ueLzPGsHNs34tIRHVp11p/cfXeVkqksqlh0m0WYYiWt81PghlPAv0mOUbEdTTbSEcKWlRERvrLyXy0IkbPVirNljeYAwCcRjFgNYdV7WCqKEoUL1XQaU8GHEURqdzOa5c45Z9xXARwOCcqyg7FjCGox4ZmGimoTyrMYFabRQULligZziPMQFm7db9fW0ckrEfyVB9xnn7VWPescKmxxG uJJYLUnn 3BtkkeUAqLO1IQcGwTBA4iAF5uyeJooqaBZCRVMv2mozqY/zwA8Ou8sVS+WM+7tw4xSlOKPkx//AQIYMfn7RUdxMYYOBCd/OYqcZPvu50fMMMoCuXZN1glNdOYYtzfaKiB9/McjS2V//CzjNBxnfm+8R307n515UWu0tS8oES6BErcG9xYPKoh0AUoKjb0bfwZTkFvv9hhrlQP33ENcUg13vhuP9AYSZd7xc45HG2QWUbGZ2j82chmeZdIk3hwc9GPnXRZ6Rh5f+D9Lwob3TBs8Phj3Kz7gpytWfRsZLPdzxsFL3kak+KUKsFGTt07fSbXNAwqDYfGhJ4i78yeoO/xepe9jhiKdvWVgRxerVcpcsSFoD912DmEfCgsexS1KQylt7xjbYzmX4FQ7BdiGhlVFJS4keUXwl+JP60X2m7ottMEZNL0MltuCFZL6Au6VpBMwUAFbHR7SmcJuh2Cz9fE0zfgQ== X-Bogosity: Ham, tests=bogofilter, spamicity=0.001483, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: On Thu, May 18, 2023 at 10:40:52AM -0400, Liam R. Howlett wrote: > > I came across this [1] when I was looking into something else and > thought I'd double back and make sure your fix for this UAF is also > included, since your revert will restore this bug. > > I do still see the mmap_read_lock() in binder_update_page_range() vs the > required mmap_write_lock(), at least in my branch. > > [1] https://lore.kernel.org/all/20221104175450.306810-1-cmllamas@google.com/ > Thanks Liam, I believe you are correct. The UAF should trigger on newer releases after the revert of your patch. I'll try to reproduce the issue to confirm and will send the fix afterwards. This was a nice find! Thanks, -- Carlos Llamas