From: "Liam R. Howlett" <Liam.Howlett@oracle.com>
To: Alice Ryhl <aliceryhl@google.com>
Cc: "Greg Kroah-Hartman" <gregkh@linuxfoundation.org>,
"Carlos Llamas" <cmllamas@google.com>,
"Jann Horn" <jannh@google.com>, "Miguel Ojeda" <ojeda@kernel.org>,
"Boqun Feng" <boqun@kernel.org>, "Gary Guo" <gary@garyguo.net>,
"Björn Roy Baron" <bjorn3_gh@protonmail.com>,
"Benno Lossin" <lossin@kernel.org>,
"Andreas Hindborg" <a.hindborg@kernel.org>,
"Trevor Gross" <tmgross@umich.edu>,
"Danilo Krummrich" <dakr@kernel.org>,
"Lorenzo Stoakes" <lorenzo.stoakes@oracle.com>,
linux-kernel@vger.kernel.org, rust-for-linux@vger.kernel.org,
linux-mm@kvack.org, stable@vger.kernel.org
Subject: Re: [PATCH v2 2/2] rust_binder: avoid reading the written value in offsets array
Date: Wed, 18 Feb 2026 11:02:52 -0500 [thread overview]
Message-ID: <rnvut3mevmhmqxjqe3v2dnlt2w3vxqbauyvgfgqaqeyqy5cx4i@m5bdotzx3mno> (raw)
In-Reply-To: <20260218-binder-vma-check-v2-2-60f9d695a990@google.com>
* Alice Ryhl <aliceryhl@google.com> [260218 06:53]:
> When sending a transaction, its offsets array is first copied into the
> target proc's vma, and then the values are read back from there. This is
> normally fine because the vma is a read-only mapping, so the target
> process cannot change the value under us.
>
> However, if the target process somehow gains the ability to write to its
> own vma, it could change the offset before it's read back, causing the
> kernel to misinterpret what the sender meant. If the sender happens to
> send a payload with a specific shape, this could in the worst case lead
> to the receiver being able to privilege escalate into the sender.
>
> The intent is that gaining the ability to change the read-only vma of
> your own process should not be exploitable, so remove this TOCTOU read
> even though it's unexploitable without another Binder bug.
>
> Cc: stable@vger.kernel.org
> Fixes: eafedbc7c050 ("rust_binder: add Rust Binder driver")
> Reported-by: Jann Horn <jannh@google.com>
> Reviewed-by: Jann Horn <jannh@google.com>
> Signed-off-by: Alice Ryhl <aliceryhl@google.com>
Acked-by: Liam R. Howlett <Liam.Howlett@oracle.com>
> ---
> drivers/android/binder/thread.rs | 17 ++++++-----------
> 1 file changed, 6 insertions(+), 11 deletions(-)
>
> diff --git a/drivers/android/binder/thread.rs b/drivers/android/binder/thread.rs
> index 1f1709a6a77abc1c865cc9387e7ba7493448c71d..a81910f4cedf9bf485bf1cf954b95aee6c122cfd 100644
> --- a/drivers/android/binder/thread.rs
> +++ b/drivers/android/binder/thread.rs
> @@ -1016,12 +1016,9 @@ pub(crate) fn copy_transaction_data(
>
> // Copy offsets if there are any.
> if offsets_size > 0 {
> - {
> - let mut reader =
> - UserSlice::new(UserPtr::from_addr(trd_data_ptr.offsets as _), offsets_size)
> - .reader();
> - alloc.copy_into(&mut reader, aligned_data_size, offsets_size)?;
> - }
> + let mut offsets_reader =
> + UserSlice::new(UserPtr::from_addr(trd_data_ptr.offsets as _), offsets_size)
> + .reader();
>
> let offsets_start = aligned_data_size;
> let offsets_end = aligned_data_size + offsets_size;
> @@ -1042,11 +1039,9 @@ pub(crate) fn copy_transaction_data(
> .step_by(size_of::<u64>())
> .enumerate()
> {
> - let offset: usize = view
> - .alloc
> - .read::<u64>(index_offset)?
> - .try_into()
> - .map_err(|_| EINVAL)?;
> + let offset = offsets_reader.read::<u64>()?;
> + view.alloc.write(index_offset, &offset)?;
> + let offset: usize = offset.try_into().map_err(|_| EINVAL)?;
>
> if offset < end_of_previous_object || !is_aligned(offset, size_of::<u32>()) {
> pr_warn!("Got transaction with invalid offset.");
>
> --
> 2.53.0.310.g728cabbaf7-goog
>
prev parent reply other threads:[~2026-02-18 16:03 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-02-18 11:53 [PATCH v2 0/2] Fix VMA confusion in Rust Binder Alice Ryhl
2026-02-18 11:53 ` [PATCH v2 1/2] rust_binder: check ownership before using vma Alice Ryhl
2026-02-18 13:47 ` Danilo Krummrich
2026-02-18 15:54 ` Liam R. Howlett
2026-02-18 16:39 ` Alice Ryhl
2026-02-18 11:53 ` [PATCH v2 2/2] rust_binder: avoid reading the written value in offsets array Alice Ryhl
2026-02-18 16:02 ` Liam R. Howlett [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=rnvut3mevmhmqxjqe3v2dnlt2w3vxqbauyvgfgqaqeyqy5cx4i@m5bdotzx3mno \
--to=liam.howlett@oracle.com \
--cc=a.hindborg@kernel.org \
--cc=aliceryhl@google.com \
--cc=bjorn3_gh@protonmail.com \
--cc=boqun@kernel.org \
--cc=cmllamas@google.com \
--cc=dakr@kernel.org \
--cc=gary@garyguo.net \
--cc=gregkh@linuxfoundation.org \
--cc=jannh@google.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=lorenzo.stoakes@oracle.com \
--cc=lossin@kernel.org \
--cc=ojeda@kernel.org \
--cc=rust-for-linux@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=tmgross@umich.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox