On Wed, Jun 12, 2019 at 01:29:27PM -0700, Todd Kjos wrote:
> There is a race between the binder driver cleaning
> up a completed transaction via binder_free_transaction()
> and a user calling binder_ioctl(BC_FREE_BUFFER) to
> release a buffer. It doesn't matter which is first but
> they need to be
On Wed, Jun 12, 2019 at 10:41 PM Greg KH wrote:
>
> On Wed, Jun 12, 2019 at 01:29:27PM -0700, Todd Kjos wrote:
> > There is a race between the binder driver cleaning
> > up a completed transaction via binder_free_transaction()
> > and a user calling binder_ioctl(BC_FREE_BUFFER) to
> > release a bu
There is a race between the binder driver cleaning
up a completed transaction via binder_free_transaction()
and a user calling binder_ioctl(BC_FREE_BUFFER) to
release a buffer. It doesn't matter which is first but
they need to be protected against running concurrently
which can result in a UAF.
Si
3 matches
Mail list logo
