fkie_cve-2024-56555
Vulnerability from fkie_nvd
Published
2024-12-27 15:15
Modified
2024-12-27 15:15
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: binder: fix OOB in binder_add_freeze_work() In binder_add_freeze_work() we iterate over the proc->nodes with the proc->inner_lock held. However, this lock is temporarily dropped to acquire the node->lock first (lock nesting order). This can race with binder_deferred_release() which removes the nodes from the proc->nodes rbtree and adds them into binder_dead_nodes list. This leads to a broken iteration in binder_add_freeze_work() as rb_next() will use data from binder_dead_nodes, triggering an out-of-bounds access: ================================================================== BUG: KASAN: global-out-of-bounds in rb_next+0xfc/0x124 Read of size 8 at addr ffffcb84285f7170 by task freeze/660 CPU: 8 UID: 0 PID: 660 Comm: freeze Not tainted 6.11.0-07343-ga727812a8d45 #18 Hardware name: linux,dummy-virt (DT) Call trace: rb_next+0xfc/0x124 binder_add_freeze_work+0x344/0x534 binder_ioctl+0x1e70/0x25ac __arm64_sys_ioctl+0x124/0x190 The buggy address belongs to the variable: binder_dead_nodes+0x10/0x40 [...] ================================================================== This is possible because proc->nodes (rbtree) and binder_dead_nodes (list) share entries in binder_node through a union: struct binder_node { [...] union { struct rb_node rb_node; struct hlist_node dead_node; }; Fix the race by checking that the proc is still alive. If not, simply break out of the iteration.
References
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/011e69a1b23011c0db3af4b8293fdd4522cc97b0
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/6b1be1da1f8279cf091266e71b5153c5b02aaff6
Impacted products
Vendor Product Version


To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbinder: fix OOB in binder_add_freeze_work()\n\nIn binder_add_freeze_work() we iterate over the proc-\u003enodes with the\nproc-\u003einner_lock held. However, this lock is temporarily dropped to\nacquire the node-\u003elock first (lock nesting order). This can race with\nbinder_deferred_release() which removes the nodes from the proc-\u003enodes\nrbtree and adds them into binder_dead_nodes list. This leads to a broken\niteration in binder_add_freeze_work() as rb_next() will use data from\nbinder_dead_nodes, triggering an out-of-bounds access:\n\n  ==================================================================\n  BUG: KASAN: global-out-of-bounds in rb_next+0xfc/0x124\n  Read of size 8 at addr ffffcb84285f7170 by task freeze/660\n\n  CPU: 8 UID: 0 PID: 660 Comm: freeze Not tainted 6.11.0-07343-ga727812a8d45 #18\n  Hardware name: linux,dummy-virt (DT)\n  Call trace:\n   rb_next+0xfc/0x124\n   binder_add_freeze_work+0x344/0x534\n   binder_ioctl+0x1e70/0x25ac\n   __arm64_sys_ioctl+0x124/0x190\n\n  The buggy address belongs to the variable:\n   binder_dead_nodes+0x10/0x40\n  [...]\n  ==================================================================\n\nThis is possible because proc-\u003enodes (rbtree) and binder_dead_nodes\n(list) share entries in binder_node through a union:\n\n\tstruct binder_node {\n\t[...]\n\t\tunion {\n\t\t\tstruct rb_node rb_node;\n\t\t\tstruct hlist_node dead_node;\n\t\t};\n\nFix the race by checking that the proc is still alive. If not, simply\nbreak out of the iteration."
    },
    {
      "lang": "es",
      "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: binder: correcci\u00f3n de OOB en binder_add_freeze_work() En binder_add_freeze_work() iteramos sobre proc-\u0026gt;nodes con el proc-\u0026gt;inner_lock retenido. Sin embargo, este bloqueo se elimina temporalmente para adquirir primero el node-\u0026gt;lock (orden de anidaci\u00f3n de bloqueos). Esto puede competir con binder_deferred_release() que elimina los nodos del proc-\u0026gt;nodes rbtree y los agrega a la lista binder_dead_nodes. Esto genera una iteraci\u00f3n rota en binder_add_freeze_work() ya que rb_next() usar\u00e1 datos de binder_dead_nodes, lo que activa un acceso fuera de los l\u00edmites: ====================================================================== ERROR: KASAN: global fuera de los l\u00edmites en rb_next+0xfc/0x124 Lectura de tama\u00f1o 8 en la direcci\u00f3n ffffcb84285f7170 por la tarea freeze/660 CPU: 8 UID: 0 PID: 660 Comm: freeze No contaminado 6.11.0-07343-ga727812a8d45 #18 Nombre del hardware: linux,dummy-virt (DT) Rastreo de llamadas: rb_next+0xfc/0x124 binder_add_freeze_work+0x344/0x534 binder_ioctl+0x1e70/0x25ac __arm64_sys_ioctl+0x124/0x190 La direcci\u00f3n con errores pertenece a la variable: binder_dead_nodes+0x10/0x40 [...] =================================================================== Esto es posible porque proc-\u0026gt;nodes (rbtree) y binder_dead_nodes (lista) comparten entradas en binder_node a trav\u00e9s de una uni\u00f3n: struct binder_node { [...] union { struct rb_node rb_node; struct hlist_node dead_node; }; Corrija la ejecuci\u00f3n comprobando que el procedimiento sigue activo. Si no es as\u00ed, simplemente salga de la iteraci\u00f3n."
    }
  ],
  "id": "CVE-2024-56555",
  "lastModified": "2024-12-27T15:15:14.297",
  "metrics": {},
  "published": "2024-12-27T15:15:14.297",
  "references": [
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/011e69a1b23011c0db3af4b8293fdd4522cc97b0"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/6b1be1da1f8279cf091266e71b5153c5b02aaff6"
    }
  ],
  "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
  "vulnStatus": "Awaiting Analysis"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.