binder: Fix Information disclosure vulnerability
authorGagan Grover <ggrover@nvidia.com>
Tue, 15 Nov 2016 06:29:38 +0000 (11:29 +0530)
committermobile promotions <svcmobile_promotions@nvidia.com>
Wed, 23 Nov 2016 01:14:10 +0000 (17:14 -0800)
commitbfd92481a78132cfb8af383d93e4b1dba1e179f6
tree6df9963a741da53a7ece045c9fbf2bed88bf2462
parentb2eba7fec629035e2834174139f27b8093a3dbf8
binder: Fix Information disclosure vulnerability

The interaction between the kernel /dev/binder and the usermode
Parcel.cpp means that when a Binder object is passed as
BINDER_TYPE_BINDER or BINDER_TYPE_WEAK_BINDER, a pointer to that
object (in the server process) is leaked to the client process as the
cookie value. This leads to a leak of a heap address in many of the
privileged Binder services, including system_server.
The fix is designed to zero out the Binder pointer and cookie before
sending it to the client process

Bug 1812688

Change-Id: Ie5374c3126e226f783e2d043139f9ba61e383bd9
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1253265
Reviewed-by: mobile promotions <svcmobile_promotions@nvidia.com>
Tested-by: mobile promotions <svcmobile_promotions@nvidia.com>
drivers/android/binder.c