ghsa-q9f3-jcg6-9j2x
Vulnerability from github
Published
2024-12-27 15:31
Modified
2024-12-27 15:31
Details

In the Linux kernel, the following vulnerability has been resolved:

binder: fix OOB in binder_add_freeze_work()

In binder_add_freeze_work() we iterate over the proc->nodes with the proc->inner_lock held. However, this lock is temporarily dropped to acquire the node->lock first (lock nesting order). This can race with binder_deferred_release() which removes the nodes from the proc->nodes rbtree and adds them into binder_dead_nodes list. This leads to a broken iteration in binder_add_freeze_work() as rb_next() will use data from binder_dead_nodes, triggering an out-of-bounds access:

================================================================== BUG: KASAN: global-out-of-bounds in rb_next+0xfc/0x124 Read of size 8 at addr ffffcb84285f7170 by task freeze/660

CPU: 8 UID: 0 PID: 660 Comm: freeze Not tainted 6.11.0-07343-ga727812a8d45 #18 Hardware name: linux,dummy-virt (DT) Call trace: rb_next+0xfc/0x124 binder_add_freeze_work+0x344/0x534 binder_ioctl+0x1e70/0x25ac __arm64_sys_ioctl+0x124/0x190

The buggy address belongs to the variable: binder_dead_nodes+0x10/0x40 [...] ==================================================================

This is possible because proc->nodes (rbtree) and binder_dead_nodes (list) share entries in binder_node through a union:

struct binder_node {
[...]
    union {
        struct rb_node rb_node;
        struct hlist_node dead_node;
    };

Fix the race by checking that the proc is still alive. If not, simply break out of the iteration.

Show details on source website

To clipboard 

{
  "affected": [],
  "aliases": [
    "CVE-2024-56555"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-12-27T15:15:14Z",
    "severity": null
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nbinder: fix OOB in binder_add_freeze_work()\n\nIn binder_add_freeze_work() we iterate over the proc-\u003enodes with the\nproc-\u003einner_lock held. However, this lock is temporarily dropped to\nacquire the node-\u003elock first (lock nesting order). This can race with\nbinder_deferred_release() which removes the nodes from the proc-\u003enodes\nrbtree and adds them into binder_dead_nodes list. This leads to a broken\niteration in binder_add_freeze_work() as rb_next() will use data from\nbinder_dead_nodes, triggering an out-of-bounds access:\n\n  ==================================================================\n  BUG: KASAN: global-out-of-bounds in rb_next+0xfc/0x124\n  Read of size 8 at addr ffffcb84285f7170 by task freeze/660\n\n  CPU: 8 UID: 0 PID: 660 Comm: freeze Not tainted 6.11.0-07343-ga727812a8d45 #18\n  Hardware name: linux,dummy-virt (DT)\n  Call trace:\n   rb_next+0xfc/0x124\n   binder_add_freeze_work+0x344/0x534\n   binder_ioctl+0x1e70/0x25ac\n   __arm64_sys_ioctl+0x124/0x190\n\n  The buggy address belongs to the variable:\n   binder_dead_nodes+0x10/0x40\n  [...]\n  ==================================================================\n\nThis is possible because proc-\u003enodes (rbtree) and binder_dead_nodes\n(list) share entries in binder_node through a union:\n\n\tstruct binder_node {\n\t[...]\n\t\tunion {\n\t\t\tstruct rb_node rb_node;\n\t\t\tstruct hlist_node dead_node;\n\t\t};\n\nFix the race by checking that the proc is still alive. If not, simply\nbreak out of the iteration.",
  "id": "GHSA-q9f3-jcg6-9j2x",
  "modified": "2024-12-27T15:31:53Z",
  "published": "2024-12-27T15:31:53Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-56555"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/011e69a1b23011c0db3af4b8293fdd4522cc97b0"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/6b1be1da1f8279cf091266e71b5153c5b02aaff6"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.