ANDROID: rust_binder: print and avoid underflow with invalid refcnt

Userspace may send invalid refcount changes that correspond to handles that do not exist, or are otherwise invalid decrements. (For example, a weak decrement on a node that only has strong refs.) When such invalid usage of the userspace API happens, just print and do not change the refcnt. This fixes a crash on underflow when computing `0-1` with an unsigned integer. Bug: 426101719 Reported-and-tested-by: syzbot+983b7a2aeabc09449c43@syzkaller.appspotmail.com Fixes: dac7c66bc9 ("ANDROID: rust_binder: move Rust Binder in preparation for GKI module") Change-Id: I987a5dd3a4b028c0dc843fc3b3a4e0087a46fd37 Signed-off-by: Alice Ryhl <aliceryhl@google.com>
2025-06-20 09:03:35 +00:00
parent 3744083cdb
commit 5da94eacba
2 changed files with 9 additions and 0 deletions
--- a/drivers/android/binder/node.rs
+++ b/drivers/android/binder/node.rs
@@ -890,6 +890,13 @@ impl NodeRef {
            }
            *count += 1;
        } else {
+            if *count == 0 {
+                pr_warn!(
+                    "pid {} performed invalid decrement on ref\n",
+                    kernel::current!().pid()
+                );
+                return false;
+            }
            *count -= 1;
            if *count == 0 {
                self.node.update_refcount(false, *node_count, strong);
--- a/drivers/android/binder/process.rs
+++ b/drivers/android/binder/process.rs
@@ -926,6 +926,8 @@ impl Process {
                refs.by_handle.remove(&handle);
                refs.by_node.remove(&id);
            }
+        } else {
+            pr_warn!("{}: no such ref {handle}\n", kernel::current!().pid());
        }
        Ok(())
    }