Re: [PATCH] rust_binder: add additional alignment checks

Next message: Krzysztof Kozlowski: "Re: [PATCH 1/7] dt-bindings: soc: st: document the RISAB firewall peripheral"
Previous message: Danilo Krummrich: "Re: [PATCH v4 25/33] gpu: nova-core: Hopper/Blackwell: larger non-WPR heap"
In reply to: Jann Horn: "Re: [PATCH] rust_binder: add additional alignment checks"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Alice Ryhl

Date: Tue Feb 17 2026 - 15:06:17 EST

On Tue, Feb 17, 2026 at 6:48 PM Jann Horn <jannh@xxxxxxxxxx> wrote:
>
> On Fri, Jan 23, 2026 at 5:23 PM Alice Ryhl <aliceryhl@xxxxxxxxxx> wrote:
> > This adds some alignment checks to match C Binder more closely. This
> > causes the driver to reject more transactions. I don't think any of the
> > transactions in question are harmful, but it's still a bug because it's
> > the wrong uapi to accept them.
>
> FYI, this actually fixed something somewhat harmful: Before this
> patch, `unused_buffer_space` was sized such that BINDER_TYPE_PTR
> objects could grow into the area reserved for the secctx; so you
> could, for example, clobber the secctx string with a BINDER_TYPE_FDA
> file descriptor fixup, resulting in an incoming transaction where a
> file descriptor number appears in the middle of the secctx string:
>
> 00000060 75 6e 63 6f 6e 66 69 6e 65 64 5f 75 3a 75 6e 63 |unconfined_u:unc|
> 00000070 05 00 00 00 6e 65 64 5f 72 3a 75 6e 63 6f 6e 66 |....ned_r:unconf|
> 00000080 69 6e 65 64 5f 74 3a 73 30 2d 73 30 3a 63 30 2e |ined_t:s0-s0:c0.|
> 00000090 63 31 30 32 33 00 00 00 00 00 00 00 00 00 00 00 |c1023...........|

Ah yeah. I suppose it's good that BINDER_TYPE_FDA isn't used on modern Android.

Alice