We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.

Please see our statement on Data Privacy.

Crisp.chat (Helpdesk and Chat)

Ok

THREATINT
PUBLISHED

CVE-2024-56555

binder: fix OOB in binder_add_freeze_work()



Description

In the Linux kernel, the following vulnerability has been resolved: binder: fix OOB in binder_add_freeze_work() In binder_add_freeze_work() we iterate over the proc->nodes with the proc->inner_lock held. However, this lock is temporarily dropped to acquire the node->lock first (lock nesting order). This can race with binder_deferred_release() which removes the nodes from the proc->nodes rbtree and adds them into binder_dead_nodes list. This leads to a broken iteration in binder_add_freeze_work() as rb_next() will use data from binder_dead_nodes, triggering an out-of-bounds access: ================================================================== BUG: KASAN: global-out-of-bounds in rb_next+0xfc/0x124 Read of size 8 at addr ffffcb84285f7170 by task freeze/660 CPU: 8 UID: 0 PID: 660 Comm: freeze Not tainted 6.11.0-07343-ga727812a8d45 #18 Hardware name: linux,dummy-virt (DT) Call trace: rb_next+0xfc/0x124 binder_add_freeze_work+0x344/0x534 binder_ioctl+0x1e70/0x25ac __arm64_sys_ioctl+0x124/0x190 The buggy address belongs to the variable: binder_dead_nodes+0x10/0x40 [...] ================================================================== This is possible because proc->nodes (rbtree) and binder_dead_nodes (list) share entries in binder_node through a union: struct binder_node { [...] union { struct rb_node rb_node; struct hlist_node dead_node; }; Fix the race by checking that the proc is still alive. If not, simply break out of the iteration.

Reserved 2024-12-27 | Published 2024-12-27 | Updated 2024-12-27 | Assigner Linux

Product status

Default status
unaffected

d579b04a52a183db47dfcb7a44304d7747d551e1 before 6b1be1da1f8279cf091266e71b5153c5b02aaff6
affected

d579b04a52a183db47dfcb7a44304d7747d551e1 before 011e69a1b23011c0db3af4b8293fdd4522cc97b0
affected

Default status
affected

6.12
affected

Any version before 6.12
unaffected

6.12.4
unaffected

6.13-rc1
unaffected

References

git.kernel.org/...c/6b1be1da1f8279cf091266e71b5153c5b02aaff6

git.kernel.org/...c/011e69a1b23011c0db3af4b8293fdd4522cc97b0

cve.org (CVE-2024-56555)

nvd.nist.gov (CVE-2024-56555)

Download JSON

Share this page
https://cve.threatint.com/CVE/CVE-2024-56555

Support options

Helpdesk Chat, Email, Knowledgebase
Telegram Chat
Subscribe to our newsletter to learn more about our work.