diff options
| author | Arve Hjønnevåg <arve@android.com> | 2016-10-24 09:20:30 -0400 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2016-10-24 13:37:48 -0400 |
| commit | 4afb604e2d14d429ac9e1fd84b952602853b2df5 (patch) | |
| tree | 6aaa0748e70061782de8c96839d3d9477179e92f /drivers/android | |
| parent | 0a3ffab93fe52530602fe47cd74802cffdb19c05 (diff) | |
ANDROID: binder: Clear binder and cookie when setting handle in flat binder struct
Prevents leaking pointers between processes
Signed-off-by: Arve Hjønnevåg <arve@android.com>
Signed-off-by: Martijn Coenen <maco@android.com>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Diffstat (limited to 'drivers/android')
| -rw-r--r-- | drivers/android/binder.c | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/drivers/android/binder.c b/drivers/android/binder.c index 3681759c22d7..3c71b982bf2a 100644 --- a/drivers/android/binder.c +++ b/drivers/android/binder.c | |||
| @@ -1584,7 +1584,9 @@ static void binder_transaction(struct binder_proc *proc, | |||
| 1584 | fp->type = BINDER_TYPE_HANDLE; | 1584 | fp->type = BINDER_TYPE_HANDLE; |
| 1585 | else | 1585 | else |
| 1586 | fp->type = BINDER_TYPE_WEAK_HANDLE; | 1586 | fp->type = BINDER_TYPE_WEAK_HANDLE; |
| 1587 | fp->binder = 0; | ||
| 1587 | fp->handle = ref->desc; | 1588 | fp->handle = ref->desc; |
| 1589 | fp->cookie = 0; | ||
| 1588 | binder_inc_ref(ref, fp->type == BINDER_TYPE_HANDLE, | 1590 | binder_inc_ref(ref, fp->type == BINDER_TYPE_HANDLE, |
| 1589 | &thread->todo); | 1591 | &thread->todo); |
| 1590 | 1592 | ||
| @@ -1634,7 +1636,9 @@ static void binder_transaction(struct binder_proc *proc, | |||
| 1634 | return_error = BR_FAILED_REPLY; | 1636 | return_error = BR_FAILED_REPLY; |
| 1635 | goto err_binder_get_ref_for_node_failed; | 1637 | goto err_binder_get_ref_for_node_failed; |
| 1636 | } | 1638 | } |
| 1639 | fp->binder = 0; | ||
| 1637 | fp->handle = new_ref->desc; | 1640 | fp->handle = new_ref->desc; |
| 1641 | fp->cookie = 0; | ||
| 1638 | binder_inc_ref(new_ref, fp->type == BINDER_TYPE_HANDLE, NULL); | 1642 | binder_inc_ref(new_ref, fp->type == BINDER_TYPE_HANDLE, NULL); |
| 1639 | trace_binder_transaction_ref_to_ref(t, ref, | 1643 | trace_binder_transaction_ref_to_ref(t, ref, |
| 1640 | new_ref); | 1644 | new_ref); |
| @@ -1688,6 +1692,7 @@ static void binder_transaction(struct binder_proc *proc, | |||
| 1688 | binder_debug(BINDER_DEBUG_TRANSACTION, | 1692 | binder_debug(BINDER_DEBUG_TRANSACTION, |
| 1689 | " fd %d -> %d\n", fp->handle, target_fd); | 1693 | " fd %d -> %d\n", fp->handle, target_fd); |
| 1690 | /* TODO: fput? */ | 1694 | /* TODO: fput? */ |
| 1695 | fp->binder = 0; | ||
| 1691 | fp->handle = target_fd; | 1696 | fp->handle = target_fd; |
| 1692 | } break; | 1697 | } break; |
| 1693 | 1698 | ||