Google Git
Sign in
kernel / pub / scm / linux / kernel / git / stable / stable-queue / 17d726468c7082caab1b07ef78a67548c18705c5 / . / releases / 4.8.7 / android-binder-clear-binder-and-cookie-when-setting-handle-in-flat-binder-struct.patch
blob: f6a51d780aae354750e75556da04c14876f9c91e [file] [log] [blame]
From 4afb604e2d14d429ac9e1fd84b952602853b2df5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Arve=20Hj=C3=B8nnev=C3=A5g?= <arve@android.com>
Date: Mon, 24 Oct 2016 15:20:30 +0200
Subject: ANDROID: binder: Clear binder and cookie when setting handle in flat binder struct
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
From: Arve Hjønnevåg <arve@android.com>
commit 4afb604e2d14d429ac9e1fd84b952602853b2df5 upstream.
Prevents leaking pointers between processes
Signed-off-by: Arve Hjønnevåg <arve@android.com>
Signed-off-by: Martijn Coenen <maco@android.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/android/binder.c | 5 +++++
1 file changed, 5 insertions(+)
--- a/drivers/android/binder.c
+++ b/drivers/android/binder.c
@@ -1585,7 +1585,9 @@ static void binder_transaction(struct bi
fp->type = BINDER_TYPE_HANDLE;
else
fp->type = BINDER_TYPE_WEAK_HANDLE;
+ fp->binder = 0;
fp->handle = ref->desc;
+ fp->cookie = 0;
binder_inc_ref(ref, fp->type == BINDER_TYPE_HANDLE,
&thread->todo);
@@ -1635,7 +1637,9 @@ static void binder_transaction(struct bi
return_error = BR_FAILED_REPLY;
goto err_binder_get_ref_for_node_failed;
}
+ fp->binder = 0;
fp->handle = new_ref->desc;
+ fp->cookie = 0;
binder_inc_ref(new_ref, fp->type == BINDER_TYPE_HANDLE, NULL);
trace_binder_transaction_ref_to_ref(t, ref,
new_ref);
@@ -1689,6 +1693,7 @@ static void binder_transaction(struct bi
binder_debug(BINDER_DEBUG_TRANSACTION,
" fd %d -> %d\n", fp->handle, target_fd);
/* TODO: fput? */
+ fp->binder = 0;
fp->handle = target_fd;
} break;