Re: [PATCH 0/3] binder: Prevent untranslated sender data from being copied to target

On Tue, Nov 23, 2021 at 11:17:34AM -0800, Todd Kjos wrote: > Binder copies transactions directly from the sender buffer > to the target buffer and then fixes up BINDER_TYPE_PTR and > BINDER_TYPE_FDA objects. This means there is a brief time > when sender pointers and fds are visible to the target >

Re: [PATCH] binder: fix test regression due to sender_euid change

On Fri, Nov 19, 2021 at 03:39:59PM -0800, Todd Kjos wrote: > On Fri, Nov 19, 2021 at 3:00 PM Paul Moore wrote: > > > > On Fri, Nov 12, 2021 at 1:07 PM Todd Kjos wrote: > > > > > > This is a partial revert of commit > > > 29bc22ac5e5b ("binder: use euid from cred instead of using task"). > > > Set

Re: [PATCH 3/3] binder: defer copies of pre-patched txn data

On Tue, Nov 23, 2021 at 11:17:37AM -0800, Todd Kjos wrote: > +/** > + * binder_do_deferred_txn_copies() - copy and fixup scatter-gather data > + * @alloc: binder_alloc associated with @buffer > + * @buffer: binder buffer in target process > + * @sgc_head:list_head of scatter-gather copy

Re: [PATCH 2/3] binder: read pre-translated fds from sender buffer

On Tue, Nov 23, 2021 at 11:17:36AM -0800, Todd Kjos wrote: > Since we are no longer going to copy the pre-fixup > data from the target buffer, we need to read > pre-translated FD array information from the source > buffer. > The commit message is really misleading. From the commit message it sou

Re: [PATCH 3/3] binder: defer copies of pre-patched txn data

On Tue, Nov 23, 2021 at 11:17:37AM -0800, Todd Kjos wrote: > +static int binder_do_deferred_txn_copies(struct binder_alloc *alloc, > + struct binder_buffer *buffer, > + struct list_head *sgc_head, > +

Re: [PATCH 1/3] binder: avoid potential data leakage when copying txn

On Tue, Nov 23, 2021 at 11:17:35AM -0800, Todd Kjos wrote: > Transactions are copied from the sender to the target > first and objects like BINDER_TYPE_PTR and BINDER_TYPE_FDA > are then fixed up. This means there is a short period where > the sender's version of these objects are visible to the >

Re: [PATCH 1/3] binder: avoid potential data leakage when copying txn

Hi Todd, I love your patch! Perhaps something to improve: [auto build test WARNING on staging/staging-testing] [also build test WARNING on v5.16-rc2 next-20211124] [If your patch is applied to the wrong git tree, kindly drop us a note. And when submitting patch, we suggest to use '--bas

[driver-core:driver-core-testing] BUILD SUCCESS 393c3714081a53795bbff0e985d24146def6f57f

allmodconfig i386 randconfig-c001-20211124 i386 randconfig-c001-20211125 m68k hp300_defconfig mips pic32mzda_defconfig arm cns3420vb_defconfig m68k

Re: [PATCH 2/3] binder: read pre-translated fds from sender buffer

On Wed, Nov 24, 2021 at 12:33:20PM -0800, Todd Kjos wrote: > I agree -- if copy_from_user() for some reason doesn't copy the whole > buffer, it might return a positive integer. Then it would skip > binder_translate_fd(), but not return. That should probably be > something like: > > if (ret) >