Re: [PATCH v2] rust_binder: reject context manager self-transaction

[Alice Ryhl]

On Thu, Jun 25, 2026 at 2:38 AM Carlos Llamas <cmllamas@xxxxxxxxxx> wrote:
>
> On Tue, Jun 23, 2026 at 11:37:11AM +0000, Alice Ryhl wrote:
> > On Mon, Jun 22, 2026 at 08:28:01PM +0530, Keshav Verma wrote:
> > > Rust binder resolved handle 0 to the context manager node, but it does not
> > > reject the case where the caller owns the same node.
> > >
> > > The C binder driver rejects transactions from the context-manager process
> > > to handle 0 after resolving the target node. Match that behavior in Rust
> > > Binder by rejecting handle 0 transactions when the resolved context-manager
> > > node is owned by the calling process.
> > >
> > > This applies to both synchronous and oneway transactions because both paths
> > > resolve the target through Process::get_transaction_node().
> > >
> > > Cc: stable@xxxxxxxxxx
> > > Fixes: eafedbc7c050 ("rust_binder: add Rust Binder driver")
> > > Signed-off-by: Keshav Verma <iganschel@xxxxxxxxx>
> > > ---
> > > Changes in v2:
> > > - Compare the underlying OS process task instead of Rust Binder `Process` object.
> >
> > I would prefer to compare the Binder Process object. Rejecting
> > transactions between different fds owned by the same process doesn't
> > really have any benefit and makes fuzz testing much harder.
> >
> > Alice
>
> Hey Alice,
>
> The restrictions were added in the C version in order to patch
> vulnerabilities associated with this "self-transaction" behavior.
> See: http://git.kernel.org/torvalds/c/4b836a1426cb
>
> I haven't really looked much into this, but do we even need this for the
> Rust version? Is this even fixing anything at all?

Even if there's no vulnerability, self-transactions are still very
weird and may introduce edge cases I can't think of. I would prefer to
reject them.

Alice