Re: [PATCH 2/2] rust_binder: avoid reading the written value in offsets array

Next message: Danilo Krummrich: "Re: [PATCH v4 25/33] gpu: nova-core: Hopper/Blackwell: larger non-WPR heap"
Previous message: Guilherme G. Piccoli: "[PATCH 1/2] mm/memblock: Print out errors on reserve_mem parser"
In reply to: Jann Horn: "Re: [PATCH 2/2] rust_binder: avoid reading the written value in offsets array"
Next in thread: kernel test robot: "Re: [PATCH 2/2] rust_binder: avoid reading the written value in offsets array"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Alice Ryhl

Date: Tue Feb 17 2026 - 15:03:52 EST

On Tue, Feb 17, 2026 at 5:35 PM Jann Horn <jannh@xxxxxxxxxx> wrote:
>
> On Tue, Feb 17, 2026 at 3:22 PM Alice Ryhl <aliceryhl@xxxxxxxxxx> wrote:
> > When sending a transaction, its offsets array is first copied into the
> > target proc's vma, and then the values are read back from there. This is
> > normally fine because the vma is a read-only mapping, so the target
> > process cannot change the value under us.
> >
> > However, if the target process somehow gains the ability to write to its
> > own vma, it could change the offset before it's read back, causing the
> > kernel to misinterpret what the sender meant. If the sender happens to
> > send a payload with a specific shape, this could in the worst case lead
> > to the receiver being able to privilege escalate into the sender.
> >
> > The intent is that gaining the ability to change the read-only vma of
> > your own process should not be exploitable, so remove this TOCTOU read
> > even though it's unexploitable without another Binder bug.
>
> With this, the only remaining read from the ShrinkablePageRange is in
> AllocationView::cleanup_object(), correct? If I understand correctly,
> that is fine because it can only drop references on handles (which
> userspace could equivalently do via BC_RELEASE/BC_DECREFS) and on
> binders (which would probably also have its influence limited to the
> process)?

Yeah, that's the idea.

Alice