Re: [PATCH] rust_binder: add additional alignment checks

Next message: Ziyi Guo: "[PATCH net v2] net: usb: kaweth: remove TX queue manipulation in kaweth_set_rx_mode"
Previous message: Mathieu Poirier: "Re: [PATCH v12 00/46] arm64: Support for Arm CCA in KVM"
Next in thread: Alice Ryhl: "Re: [PATCH] rust_binder: add additional alignment checks"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Jann Horn

Date: Tue Feb 17 2026 - 12:48:55 EST

On Fri, Jan 23, 2026 at 5:23 PM Alice Ryhl <aliceryhl@xxxxxxxxxx> wrote:
> This adds some alignment checks to match C Binder more closely. This
> causes the driver to reject more transactions. I don't think any of the
> transactions in question are harmful, but it's still a bug because it's
> the wrong uapi to accept them.

FYI, this actually fixed something somewhat harmful: Before this
patch, `unused_buffer_space` was sized such that BINDER_TYPE_PTR
objects could grow into the area reserved for the secctx; so you
could, for example, clobber the secctx string with a BINDER_TYPE_FDA
file descriptor fixup, resulting in an incoming transaction where a
file descriptor number appears in the middle of the secctx string:

00000060 75 6e 63 6f 6e 66 69 6e 65 64 5f 75 3a 75 6e 63 |unconfined_u:unc|
00000070 05 00 00 00 6e 65 64 5f 72 3a 75 6e 63 6f 6e 66 |....ned_r:unconf|
00000080 69 6e 65 64 5f 74 3a 73 30 2d 73 30 3a 63 30 2e |ined_t:s0-s0:c0.|
00000090 63 31 30 32 33 00 00 00 00 00 00 00 00 00 00 00 |c1023...........|