commit | f4e6de359de95139fc77d3190867a36169fe8051 | [log] [tgz] |
---|---|---|
author | Todd Kjos <tkjos@google.com> | Mon Jun 10 09:14:25 2019 -0700 |
committer | Todd Kjos <tkjos@google.com> | Mon Aug 05 08:51:41 2019 -0700 |
tree | 2f17882cae48c41323f967f6c01bf79c7716789e | |
parent | c79f4e1050cb87e3eaf7178e6d7bb3bacdf4cab7 [diff] |
binder: binder: fix possible UAF when freeing buffer There is a race between the binder driver cleaning up a completed transaction via binder_free_transaction() and a user calling binder_ioctl(BC_FREE_BUFFER) to release a buffer. It doesn't matter which is first but they need to be protected against running concurrently which can result in a UAF. Bug: 133758011 Change-Id: Ie1426ff3d00218d050d61ff77b333ddf8818b7c9 Signed-off-by: Todd Kjos <tkjos@google.com>