From 93fa3455d63507e3c5f96c116d698ee9e5498d0c Mon Sep 17 00:00:00 2001 From: Xi_Yuhao Date: Fri, 11 Feb 2022 12:14:49 +0800 Subject: [PATCH] binder:oneway ipc get token failed bugfix ohos inclusion category: bugfix issue: #I4T64S CVE: NA ----------- tokendid is used for special app security control Signed-off-by: Xi_Yuhao --- drivers/android/binder.c | 15 +++++++-------- 1 file changed, 7 insertions(+), 8 deletions(-) diff --git a/drivers/android/binder.c b/drivers/android/binder.c index 3604f0df6896..c085eab1b2ec 100644 --- a/drivers/android/binder.c +++ b/drivers/android/binder.c @@ -555,6 +555,7 @@ struct binder_thread { struct binder_stats stats; atomic_t tmp_ref; bool is_dead; + struct access_token tokens; }; /** @@ -4554,6 +4555,10 @@ static int binder_thread_read(struct binder_proc *proc, if (t_from) binder_thread_dec_tmpref(t_from); t->buffer->allow_user_free = 1; + binder_inner_proc_lock(thread->proc); + thread->tokens.sender_tokenid = t->sender_tokenid; + thread->tokens.first_tokenid = t->first_tokenid; + binder_inner_proc_unlock(thread->proc); if (cmd != BR_REPLY && !(t->flags & TF_ONE_WAY)) { binder_inner_proc_lock(thread->proc); t->to_parent = thread->transaction_stack; @@ -5165,14 +5170,8 @@ static long binder_ioctl(struct file *filp, unsigned int cmd, unsigned long arg) goto err; } binder_inner_proc_lock(proc); - if (thread->transaction_stack == NULL) { - ret = -EFAULT; - binder_inner_proc_unlock(proc); - goto err; - } - token = thread->transaction_stack->sender_tokenid; - ftoken = thread->transaction_stack->first_tokenid; - + token = thread->tokens.sender_tokenid; + ftoken = thread->tokens.first_tokenid; binder_inner_proc_unlock(proc); if (put_user(token, &tokens->sender_tokenid)) { ret = -EINVAL; -- Gitee