Re: [PATCH v2] rust_binder: reject context manager self-transaction

Next message: Pengpeng Hou: "[RFC PATCH] wifi: mt76: fail channel switch when TX queues do not drain"
Previous message: Pengpeng Hou: "[PATCH] RDMA/bng_re: return a timeout when firmware responses stall"
Next in thread: Alice Ryhl: "Re: [PATCH v2] rust_binder: reject context manager self-transaction"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Carlos Llamas

Date: Wed Jun 24 2026 - 20:38:59 EST

On Tue, Jun 23, 2026 at 11:37:11AM +0000, Alice Ryhl wrote:
> On Mon, Jun 22, 2026 at 08:28:01PM +0530, Keshav Verma wrote:
> > Rust binder resolved handle 0 to the context manager node, but it does not
> > reject the case where the caller owns the same node.
> >
> > The C binder driver rejects transactions from the context-manager process
> > to handle 0 after resolving the target node. Match that behavior in Rust
> > Binder by rejecting handle 0 transactions when the resolved context-manager
> > node is owned by the calling process.
> >
> > This applies to both synchronous and oneway transactions because both paths
> > resolve the target through Process::get_transaction_node().
> >
> > Cc: stable@xxxxxxxxxx
> > Fixes: eafedbc7c050 ("rust_binder: add Rust Binder driver")
> > Signed-off-by: Keshav Verma <iganschel@xxxxxxxxx>
> > ---
> > Changes in v2:
> > - Compare the underlying OS process task instead of Rust Binder `Process` object.
>
> I would prefer to compare the Binder Process object. Rejecting
> transactions between different fds owned by the same process doesn't
> really have any benefit and makes fuzz testing much harder.
>
> Alice

Hey Alice,

The restrictions were added in the C version in order to patch
vulnerabilities associated with this "self-transaction" behavior.
See: http://git.kernel.org/torvalds/c/4b836a1426cb

I haven't really looked much into this, but do we even need this for the
Rust version? Is this even fixing anything at all?

--
Carlos Llamas