projects / firefly-linux-kernel-4.4.55.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 14f09e8)
ANDROID: binder: Clear binder and cookie when setting handle in flat binder struct
authorArve Hjønnevåg <arve@android.com>
Mon, 24 Oct 2016 13:20:30 +0000 (15:20 +0200)
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Thu, 10 Nov 2016 15:36:33 +0000 (16:36 +0100)
commit 4afb604e2d14d429ac9e1fd84b952602853b2df5 upstream.

Prevents leaking pointers between processes

Signed-off-by: Arve Hjønnevåg <arve@android.com>
Signed-off-by: Martijn Coenen <maco@android.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
drivers/android/binder.c patch | blob | history

diff --git a/drivers/android/binder.c b/drivers/android/binder.c
index f145dd9643fc10081dcd85d8aaeb143b595737e9..47ddfefe24431b1274cbac8f1eb1318a8d6e7a08 100644 (file)
--- a/drivers/android/binder.c
+++ b/drivers/android/binder.c
@@ -1578,7 +1578,9 @@ static void binder_transaction(struct binder_proc *proc,
                                fp->type = BINDER_TYPE_HANDLE;
                        else
                                fp->type = BINDER_TYPE_WEAK_HANDLE;
+                       fp->binder = 0;
                        fp->handle = ref->desc;
+                       fp->cookie = 0;
                        binder_inc_ref(ref, fp->type == BINDER_TYPE_HANDLE,
                                       &thread->todo);
 
@@ -1628,7 +1630,9 @@ static void binder_transaction(struct binder_proc *proc,
                                        return_error = BR_FAILED_REPLY;
                                        goto err_binder_get_ref_for_node_failed;
                                }
+                               fp->binder = 0;
                                fp->handle = new_ref->desc;
+                               fp->cookie = 0;
                                binder_inc_ref(new_ref, fp->type == BINDER_TYPE_HANDLE, NULL);
                                trace_binder_transaction_ref_to_ref(t, ref,
                                                                    new_ref);
@@ -1682,6 +1686,7 @@ static void binder_transaction(struct binder_proc *proc,
                        binder_debug(BINDER_DEBUG_TRANSACTION,
                                     "        fd %d -> %d\n", fp->handle, target_fd);
                        /* TODO: fput? */
+                       fp->binder = 0;
                        fp->handle = target_fd;
                } break;
 
Unnamed repository; edit this file 'description' to name the repository.