From 818bd2d0541d0660bb57627564a024285d63db4f Mon Sep 17 00:00:00 2001
From: heppen <hepeng68@huawei.com>
Date: Thu, 2 Nov 2023 20:37:03 +0800
Subject: [PATCH] binder: fix UAF caused by faulty buffer cleanup

---
 ...-UAF-caused-by-faulty-buffer-cleanup.patch | 76 +++++++++++++++++++
 README.md                                     |  1 +
 binder.spec                                   |  7 +-
 3 files changed, 83 insertions(+), 1 deletion(-)
 create mode 100644 0002-fix-UAF-caused-by-faulty-buffer-cleanup.patch

diff --git a/0002-fix-UAF-caused-by-faulty-buffer-cleanup.patch b/0002-fix-UAF-caused-by-faulty-buffer-cleanup.patch
new file mode 100644
index 0000000..b7db496
--- /dev/null
+++ b/0002-fix-UAF-caused-by-faulty-buffer-cleanup.patch
@@ -0,0 +1,76 @@
+From 34c1c5d9804884e9cbc68b45cebf7d6f4f321581 Mon Sep 17 00:00:00 2001
+From: heppen <hepeng68@huawei.com>
+Date: Thu, 2 Nov 2023 20:34:28 +0800
+Subject: [PATCH] fix UAF caused by faulty buffer cleanup
+
+---
+ binder.c | 26 ++++++++++++++++++++------
+ 1 file changed, 20 insertions(+), 6 deletions(-)
+
+diff --git a/binder.c b/binder.c
+index 35384d8..39fa0f6 100644
+--- a/binder.c
++++ b/binder.c
+@@ -2267,24 +2267,23 @@ static void binder_deferred_fd_close(int fd)
+ static void binder_transaction_buffer_release(struct binder_proc *proc,
+ 					      struct binder_thread *thread,
+ 					      struct binder_buffer *buffer,
+-					      binder_size_t failed_at,
++					      binder_size_t off_end_offset,
+ 					      bool is_failure)
+ {
+ 	int debug_id = buffer->debug_id;
+-	binder_size_t off_start_offset, buffer_offset, off_end_offset;
++	binder_size_t off_start_offset, buffer_offset;
+ 
+ 	binder_debug(BINDER_DEBUG_TRANSACTION,
+ 		     "%d buffer release %d, size %zd-%zd, failed at %llx\n",
+ 		     proc->pid, buffer->debug_id,
+ 		     buffer->data_size, buffer->offsets_size,
+-		     (unsigned long long)failed_at);
++		     (unsigned long long)off_end_offset);
+ 
+ 	if (buffer->target_node)
+ 		binder_dec_node(buffer->target_node, 1, 0);
+ 
+ 	off_start_offset = ALIGN(buffer->data_size, sizeof(void *));
+-	off_end_offset = is_failure && failed_at ? failed_at :
+-				off_start_offset + buffer->offsets_size;
++
+ 	for (buffer_offset = off_start_offset; buffer_offset < off_end_offset;
+ 	     buffer_offset += sizeof(binder_size_t)) {
+ 		struct binder_object_header *hdr;
+@@ -2444,6 +2443,21 @@ static void binder_transaction_buffer_release(struct binder_proc *proc,
+ 	}
+ }
+ 
++/* Clean up all the objects in the buffer */
++static inline void binder_release_entire_buffer(struct binder_proc *proc,
++						struct binder_thread *thread,
++						struct binder_buffer *buffer,
++						bool is_failure)
++{
++	binder_size_t off_end_offset;
++
++	off_end_offset = ALIGN(buffer->data_size, sizeof(void *));
++	off_end_offset += buffer->offsets_size;
++
++	binder_transaction_buffer_release(proc, thread, buffer,
++					  off_end_offset, is_failure);
++}
++
+ static int binder_translate_binder(struct flat_binder_object *fp,
+ 				   struct binder_transaction *t,
+ 				   struct binder_thread *thread)
+@@ -3926,7 +3940,7 @@ binder_free_buf(struct binder_proc *proc,
+ 		binder_node_inner_unlock(buf_node);
+ 	}
+ 	trace_binder_transaction_buffer_release(buffer);
+-	binder_transaction_buffer_release(proc, thread, buffer, 0, is_failure);
++	binder_release_entire_buffer(proc, thread, buffer, is_failure);
+ 	binder_alloc_free_buf(&proc->alloc, buffer);
+ }
+ 
+-- 
+2.33.0
+
diff --git a/README.md b/README.md
index bdffe2a..1f3877a 100644
--- a/README.md
+++ b/README.md
@@ -43,6 +43,7 @@ openEuler 内核中存在开启 binder（边缘版本的树莓派）和未开启
     tar zxvf binder-openEuler-22.03-LTS-SP2.tar.gz
     cd binder
     patch -p1 < ../0001-Adapt-binder-as-a-kernel-module.patch
+    patch -p1 < ../0002-fix-UAF-caused-by-faulty-buffer-cleanup.patch
     ```
 
 1. 编译生成 binder_linux.ko
diff --git a/binder.spec b/binder.spec
index 88fcccd..bb749d4 100644
--- a/binder.spec
+++ b/binder.spec
@@ -3,13 +3,14 @@
 
 Name:           binder
 Version:        1.0.0
-Release:        1%{?dist}
+Release:        2%{?dist}
 Summary:        Android Binder IPC Driver
 
 License:        GPL-2.0
 URL:            https://gitee.com/openeuler/kernel/tree/%{oe_version}/drivers/android
 Source0:        https://gitee.com/openeuler/kernel/%{name}-%{oe_version}.tar.gz
 Patch0:         0001-Adapt-binder-as-a-kernel-module.patch
+Patch1:         0002-fix-UAF-caused-by-faulty-buffer-cleanup.patch
 
 BuildRequires:  gcc, make, kernel-devel, uname-build-checks
 
@@ -20,6 +21,7 @@ Binder is used in Android for both communication between processes, and remote m
 %prep
 %setup -c
 %patch0 -p1 -d %{_builddir}/%{name}-%{version}/binder
+%patch1 -p1 -d %{_builddir}/%{name}-%{version}/binder
 
 # make.
 %build
@@ -37,5 +39,8 @@ install -v binder_linux.ko %{buildroot}/%{binder_dest_path}/
 /%{binder_dest_path}/*.ko
 
 %changelog
+* Thu Dec 2 2023 Peng He <hepeng68@huawei.com> - 1.0.0-2
+- Fix UAF caused by faulty buffer cleanup
+
 * Mon Jun 26 2023 Peng He <hepeng68@huawei.com> - 1.0.0-1
 - Adapt binder as a kernel module
-- 
Gitee