UPSTREAM: binder: add flag to clear buffer on txn complete Add a per-transaction flag to indicate that the buffer must be cleared when the transaction is complete to prevent copies of sensitive data from being preserved in memory. Signed-off-by: Todd Kjos <tkjos@google.com> Link: https://lore.kernel.org/r/20201120233743.3617529-1-tkjos@google.com Cc: stable <stable@vger.kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Bug: 171501513 Change-Id: Ic9338c85cbe3b11ab6f2bda55dce9964bb48447a (cherry picked from commit 0f966cba95c78029f491b433ea95ff38f414a761) Signed-off-by: Todd Kjos <tkjos@google.com> Signed-off-by: Sami Tolvanen <samitolvanen@google.com>

commit: 451fffdd4b245c25c13ee5643923478f77384e93 [log] [tgz]
author: Todd Kjos <tkjos@google.com> Fri Nov 20 15:37:43 2020 -0800
committer: Tim Zimmermann <tim@linux4.de> Sat Jan 13 05:48:50 2024 +0100
tree: 8dd9866866d0c3c25d2e456c8422070353f83364
parent: 9ad13ab970d523920740dd159a08ca6b866cd92b [diff]
diff --git a/drivers/android/binder.c b/drivers/android/binder.c
index c87daa2..39c17e2 100644
--- a/drivers/android/binder.c
+++ b/drivers/android/binder.c

@@ -3269,6 +3269,7 @@
 	t->buffer->debug_id = t->debug_id;
 	t->buffer->transaction = t;
 	t->buffer->target_node = target_node;
+	t->buffer->clear_on_free = !!(t->flags & TF_CLEAR_BUF);
 	trace_binder_transaction_alloc_buf(t->buffer);
 
 	if (binder_alloc_copy_user_to_buffer(

diff --git a/drivers/android/binder_alloc.c b/drivers/android/binder_alloc.c
index 47d152b..2d36fb2 100644
--- a/drivers/android/binder_alloc.c
+++ b/drivers/android/binder_alloc.c

@@ -697,6 +697,8 @@
 	binder_insert_free_buffer(alloc, buffer);
 }
 
+static void binder_alloc_clear_buf(struct binder_alloc *alloc,
+				   struct binder_buffer *buffer);
 /**
  * binder_alloc_free_buf() - free a binder buffer
  * @alloc:	binder_alloc for this proc
@@ -707,6 +709,18 @@
 void binder_alloc_free_buf(struct binder_alloc *alloc,
 			    struct binder_buffer *buffer)
 {
+	/*
+	 * We could eliminate the call to binder_alloc_clear_buf()
+	 * from binder_alloc_deferred_release() by moving this to
+	 * binder_alloc_free_buf_locked(). However, that could
+	 * increase contention for the alloc mutex if clear_on_free
+	 * is used frequently for large buffers. The mutex is not
+	 * needed for correctness here.
+	 */
+	if (buffer->clear_on_free) {
+		binder_alloc_clear_buf(alloc, buffer);
+		buffer->clear_on_free = false;
+	}
 	mutex_lock(&alloc->mutex);
 	binder_free_buf_locked(alloc, buffer);
 	mutex_unlock(&alloc->mutex);
@@ -799,6 +813,10 @@
 		/* Transaction should already have been freed */
 		BUG_ON(buffer->transaction);
 
+		if (buffer->clear_on_free) {
+			binder_alloc_clear_buf(alloc, buffer);
+			buffer->clear_on_free = false;
+		}
 		binder_free_buf_locked(alloc, buffer);
 		buffers++;
 	}
@@ -1126,6 +1144,36 @@
 }
 
 /**
+ * binder_alloc_clear_buf() - zero out buffer
+ * @alloc: binder_alloc for this proc
+ * @buffer: binder buffer to be cleared
+ *
+ * memset the given buffer to 0
+ */
+static void binder_alloc_clear_buf(struct binder_alloc *alloc,
+				   struct binder_buffer *buffer)
+{
+	size_t bytes = binder_alloc_buffer_size(alloc, buffer);
+	binder_size_t buffer_offset = 0;
+
+	while (bytes) {
+		unsigned long size;
+		struct page *page;
+		pgoff_t pgoff;
+		void *kptr;
+
+		page = binder_alloc_get_page(alloc, buffer,
+					     buffer_offset, &pgoff);
+		size = min_t(size_t, bytes, PAGE_SIZE - pgoff);
+		kptr = kmap(page) + pgoff;
+		memset(kptr, 0, size);
+		kunmap(page);
+		bytes -= size;
+		buffer_offset += size;
+	}
+}
+
+/**
  * binder_alloc_copy_user_to_buffer() - copy src user to tgt user
  * @alloc: binder_alloc for this proc
  * @buffer: binder buffer to be accessed

diff --git a/drivers/android/binder_alloc.h b/drivers/android/binder_alloc.h
index 09031db..c7a2897 100644
--- a/drivers/android/binder_alloc.h
+++ b/drivers/android/binder_alloc.h

@@ -32,6 +32,7 @@
  * @entry:              entry alloc->buffers
  * @rb_node:            node for allocated_buffers/free_buffers rb trees
  * @free:               %true if buffer is free
+ * @clear_on_free:      %true if buffer must be zeroed after use
  * @allow_user_free:    %true if user is allowed to free buffer
  * @async_transaction:  %true if buffer is in use for an async txn
  * @debug_id:           unique ID for debugging
@@ -50,9 +51,10 @@
 	struct rb_node rb_node; /* free entry by size or allocated entry */
 				/* by address */
 	unsigned free:1;
+	unsigned clear_on_free:1;
 	unsigned allow_user_free:1;
 	unsigned async_transaction:1;
-	unsigned debug_id:29;
+	unsigned debug_id:28;
 
 	struct binder_transaction *transaction;
 

diff --git a/include/uapi/linux/android/binder.h b/include/uapi/linux/android/binder.h
index d5bcba6..cd6d089 100644
--- a/include/uapi/linux/android/binder.h
+++ b/include/uapi/linux/android/binder.h

@@ -309,6 +309,7 @@
 	TF_ROOT_OBJECT	= 0x04,	/* contents are the component's root object */
 	TF_STATUS_CODE	= 0x08,	/* contents are a 32-bit status code */
 	TF_ACCEPT_FDS	= 0x10,	/* allow replies with file descriptors */
+	TF_CLEAR_BUF	= 0x20,	/* clear buffer on txn complete */
 };
 
 struct binder_transaction_data {
commit	451fffdd4b245c25c13ee5643923478f77384e93	[log] [tgz]
author	Todd Kjos <tkjos@google.com>	Fri Nov 20 15:37:43 2020 -0800
committer	Tim Zimmermann <tim@linux4.de>	Sat Jan 13 05:48:50 2024 +0100
tree	8dd9866866d0c3c25d2e456c8422070353f83364
parent	9ad13ab970d523920740dd159a08ca6b866cd92b [diff]