Re: [PATCH v2] binder: use cred instead of task for selinux checks

On Tue, Oct 5, 2021 at 1:38 AM Casey Schaufler wrote: > On 10/4/2021 3:28 PM, Jann Horn wrote: > > On Mon, Oct 4, 2021 at 6:19 PM Casey Schaufler > > wrote: > >> On 10/1/2021 3:58 PM, Jann Horn wrote: > >>> On Fri, Oct 1, 2021 at 10:10 PM Casey Schaufler &g

Re: [PATCH v2] binder: use cred instead of task for selinux checks

On Mon, Oct 4, 2021 at 6:19 PM Casey Schaufler wrote: > On 10/1/2021 3:58 PM, Jann Horn wrote: > > On Fri, Oct 1, 2021 at 10:10 PM Casey Schaufler > > wrote: > >> On 10/1/2021 12:50 PM, Jann Horn wrote: > >>> On Fri, Oct 1, 2021 at 9:36 PM Jann Horn wrote: &

Re: [PATCH v3 0/3] Binder: Enable App Freezing Capability

On Wed, Mar 17, 2021 at 7:00 PM Christian Brauner wrote: > On Mon, Mar 15, 2021 at 06:16:27PM -0700, Li Li wrote: > > To improve the user experience when switching between recently used > > applications, the background applications which are not currently needed > > are cached in the memory. Norma

[PATCH 2/3] binder: Prevent repeated use of ->mmap() via NULL mapping

ove kernel vm_area for buffer space") Cc: sta...@vger.kernel.org Signed-off-by: Jann Horn --- drivers/android/binder_alloc.c | 11 ++- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/drivers/android/binder_alloc.c b/drivers/android/binder_alloc.c index 21952dfa147d..5393856

[PATCH] binder: Remove incorrect comment about vm_insert_page() behavior

vm_insert_page() does increment the page refcount, and just to be sure, I've confirmed it by printing page_count(page[0].page_ptr) before and after vm_insert_page(). It's 1 before, 2 afterwards, as expected. Signed-off-by: Jann Horn --- drivers/android/binder_alloc.c | 1 - 1 file

UAF read in print_binder_transaction_log_entry() on ANDROID_BINDERFS kernels

Hi! There is a use-after-free read in print_binder_transaction_log_entry() on ANDROID_BINDERFS kernels because print_binder_transaction_log_entry() prints the char* e->context_name as string, and if the transaction occurred on a binder device from binderfs, e->context_name belongs to the binder de

Re: [PATCH] android: binder: fix dangling pointer comparison

On Sat, Jun 18, 2016 at 11:19 AM, ZhaoJunmin Zhao(Junmin) wrote: > 在 2016/6/16 6:39, Jann Horn 写道: >> On Thu, Jun 16, 2016 at 12:31 AM, Arve Hjønnevåg wrote: >>> On Wed, Jun 15, 2016 at 3:09 PM, Jann Horn wrote: >>>> If /dev/binder is opened and the opener

Re: [PATCH] android: binder: fix dangling pointer comparison

On Thu, Jun 16, 2016 at 12:31 AM, Arve Hjønnevåg wrote: > On Wed, Jun 15, 2016 at 3:09 PM, Jann Horn wrote: >> If /dev/binder is opened and the opener process then e.g. calls execve, >> proc->vma_vm_mm will still point to the location of the now-freed >> mm_struct. I

[PATCH] android/binder: fix fput comment

Just something I noticed while looking at FD-passing code. Didn't test the change. BUG_ON is intentional, if someone rewrites the code to hit that, it can be a security issue. Signed-off-by: Jann Horn --- drivers/android/binder.c | 18 ++ 1 file changed, 14 insertions(