Google Git
Sign in
android / kernel / common / 22c24eea301b7d28f60cc452a4215f4f0b00af4d
commit22c24eea301b7d28f60cc452a4215f4f0b00af4d[log] [tgz]
authorChenbo Feng <[email protected]>Tue Nov 28 18:22:11 2017 -0800
committerTodd Kjos <[email protected]>Wed Feb 07 15:48:37 2018 -0800
tree17369b4a03a09a3fe9c2166ede349bd745164e62
parenta4b334e1f65f6ff432ef6215c8b93f83dad17097 [diff]
ANDROID: qtaguid: Fix the UAF probelm with tag_ref_tree

When multiple threads is trying to tag/delete the same socket at the
same time, there is a chance the tag_ref_entry of the target socket to
be null before the uid_tag_data entry is freed. It is caused by the
ctrl_cmd_tag function where it doesn't correctly grab the spinlocks
when tagging a socket.

Signed-off-by: Chenbo Feng <[email protected]>
Bug: 65853158
Change-Id: I5d89885918054cf835370a52bff2d693362ac5f0
1 file changed
tree: 17369b4a03a09a3fe9c2166ede349bd745164e62
  1. android/
  2. arch/
  3. block/
  4. crypto/
  5. Documentation/
  6. drivers/
  7. firmware/
  8. fs/
  9. include/
  10. init/
  11. ipc/
  12. kernel/
  13. lib/
  14. mm/
  15. net/
  16. samples/
  17. scripts/
  18. security/
  19. sound/
  20. tools/
  21. usr/
  22. virt/
  23. .gitignore
  24. .mailmap
  25. COPYING
  26. CREDITS
  27. Kbuild
  28. Kconfig
  29. MAINTAINERS
  30. Makefile
  31. README
  32. REPORTING-BUGS