Google Git
Sign in
kernel / pub / scm / linux / security / vulns / refs/heads/sasha-cve / . / cve / published / 2021 / CVE-2021-46935.json
blob: 4f27c7547601bf7fc90bed79496005c371f20240 [file] [log] [blame]
{
"containers": {
"cna": {
"providerMetadata": {
"orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038"
},
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbinder: fix async_free_space accounting for empty parcels\n\nIn 4.13, commit 74310e06be4d (\"android: binder: Move buffer out of area shared with user space\")\nfixed a kernel structure visibility issue. As part of that patch,\nsizeof(void *) was used as the buffer size for 0-length data payloads so\nthe driver could detect abusive clients sending 0-length asynchronous\ntransactions to a server by enforcing limits on async_free_size.\n\nUnfortunately, on the \"free\" side, the accounting of async_free_space\ndid not add the sizeof(void *) back. The result was that up to 8-bytes of\nasync_free_space were leaked on every async transaction of 8-bytes or\nless. These small transactions are uncommon, so this accounting issue\nhas gone undetected for several years.\n\nThe fix is to use \"buffer_size\" (the allocated buffer size) instead of\n\"size\" (the logical buffer size) when updating the async_free_space\nduring the free operation. These are the same except for this\ncorner case of asynchronous transactions with payloads < 8 bytes."
}
],
"affected": [
{
"product": "Linux",
"vendor": "Linux",
"defaultStatus": "unaffected",
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"programFiles": [
"drivers/android/binder_alloc.c"
],
"versions": [
{
"version": "74310e06be4d74dcf67cd108366710dee5c576d5",
"lessThan": "2d2df539d05205fd83c404d5f2dff48d36f9b495",
"status": "affected",
"versionType": "git"
},
{
"version": "74310e06be4d74dcf67cd108366710dee5c576d5",
"lessThan": "7c7064402609aeb6fb11be1b4ec10673ff17b593",
"status": "affected",
"versionType": "git"
},
{
"version": "74310e06be4d74dcf67cd108366710dee5c576d5",
"lessThan": "103b16a8c51f96d5fe063022869ea906c256e5da",
"status": "affected",
"versionType": "git"
},
{
"version": "74310e06be4d74dcf67cd108366710dee5c576d5",
"lessThan": "1cb8444f3114f0bb2f6e3bcadcf09aa4a28425d4",
"status": "affected",
"versionType": "git"
},
{
"version": "74310e06be4d74dcf67cd108366710dee5c576d5",
"lessThan": "17691bada6b2f1d5f1c0f6d28cd9d0727023b0ff",
"status": "affected",
"versionType": "git"
},
{
"version": "74310e06be4d74dcf67cd108366710dee5c576d5",
"lessThan": "cfd0d84ba28c18b531648c9d4a35ecca89ad9901",
"status": "affected",
"versionType": "git"
}
]
},
{
"product": "Linux",
"vendor": "Linux",
"defaultStatus": "affected",
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"programFiles": [
"drivers/android/binder_alloc.c"
],
"versions": [
{
"version": "4.14",
"status": "affected"
},
{
"version": "0",
"lessThan": "4.14",
"status": "unaffected",
"versionType": "semver"
},
{
"version": "4.14.261",
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"versionType": "semver"
},
{
"version": "4.19.224",
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"versionType": "semver"
},
{
"version": "5.4.170",
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"versionType": "semver"
},
{
"version": "5.10.90",
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"versionType": "semver"
},
{
"version": "5.15.13",
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"versionType": "semver"
},
{
"version": "5.16",
"lessThanOrEqual": "*",
"status": "unaffected",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"operator": "OR",
"negate": false,
"cpeMatch": [
{
"vulnerable": true,
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.14",
"versionEndExcluding": "4.14.261"
},
{
"vulnerable": true,
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.14",
"versionEndExcluding": "4.19.224"
},
{
"vulnerable": true,
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.14",
"versionEndExcluding": "5.4.170"
},
{
"vulnerable": true,
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.14",
"versionEndExcluding": "5.10.90"
},
{
"vulnerable": true,
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.14",
"versionEndExcluding": "5.15.13"
},
{
"vulnerable": true,
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.14",
"versionEndExcluding": "5.16"
}
]
}
]
}
],
"references": [
{
"url": "https://git.kernel.org/stable/c/2d2df539d05205fd83c404d5f2dff48d36f9b495"
},
{
"url": "https://git.kernel.org/stable/c/7c7064402609aeb6fb11be1b4ec10673ff17b593"
},
{
"url": "https://git.kernel.org/stable/c/103b16a8c51f96d5fe063022869ea906c256e5da"
},
{
"url": "https://git.kernel.org/stable/c/1cb8444f3114f0bb2f6e3bcadcf09aa4a28425d4"
},
{
"url": "https://git.kernel.org/stable/c/17691bada6b2f1d5f1c0f6d28cd9d0727023b0ff"
},
{
"url": "https://git.kernel.org/stable/c/cfd0d84ba28c18b531648c9d4a35ecca89ad9901"
}
],
"title": "binder: fix async_free_space accounting for empty parcels",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038",
"cveID": "CVE-2021-46935",
"requesterUserId": "gregkh@kernel.org",
"serial": "1",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.0"
}