cve/published/2021/CVE-2021-46935.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2021-46935: binder: fix async_free_space accounting for empty parcels

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 binder: fix async_free_space accounting for empty parcels

 In 4.13, commit 74310e06be4d ("android: binder: Move buffer out of area shared with user space")
 fixed a kernel structure visibility issue. As part of that patch,
 sizeof(void *) was used as the buffer size for 0-length data payloads so
 the driver could detect abusive clients sending 0-length asynchronous
 transactions to a server by enforcing limits on async_free_size.

 Unfortunately, on the "free" side, the accounting of async_free_space
 did not add the sizeof(void *) back. The result was that up to 8-bytes of
 async_free_space were leaked on every async transaction of 8-bytes or
 less.  These small transactions are uncommon, so this accounting issue
 has gone undetected for several years.

 The fix is to use "buffer_size" (the allocated buffer size) instead of
 "size" (the logical buffer size) when updating the async_free_space
 during the free operation. These are the same except for this
 corner case of asynchronous transactions with payloads < 8 bytes.

 The Linux kernel CVE team has assigned CVE-2021-46935 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 4.14 with commit 74310e06be4d74dcf67cd108366710dee5c576d5 and fixed in 4.14.261 with commit 2d2df539d05205fd83c404d5f2dff48d36f9b495
 	Issue introduced in 4.14 with commit 74310e06be4d74dcf67cd108366710dee5c576d5 and fixed in 4.19.224 with commit 7c7064402609aeb6fb11be1b4ec10673ff17b593
 	Issue introduced in 4.14 with commit 74310e06be4d74dcf67cd108366710dee5c576d5 and fixed in 5.4.170 with commit 103b16a8c51f96d5fe063022869ea906c256e5da
 	Issue introduced in 4.14 with commit 74310e06be4d74dcf67cd108366710dee5c576d5 and fixed in 5.10.90 with commit 1cb8444f3114f0bb2f6e3bcadcf09aa4a28425d4
 	Issue introduced in 4.14 with commit 74310e06be4d74dcf67cd108366710dee5c576d5 and fixed in 5.15.13 with commit 17691bada6b2f1d5f1c0f6d28cd9d0727023b0ff
 	Issue introduced in 4.14 with commit 74310e06be4d74dcf67cd108366710dee5c576d5 and fixed in 5.16 with commit cfd0d84ba28c18b531648c9d4a35ecca89ad9901

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2021-46935
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	drivers/android/binder_alloc.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/2d2df539d05205fd83c404d5f2dff48d36f9b495
 	https://git.kernel.org/stable/c/7c7064402609aeb6fb11be1b4ec10673ff17b593
 	https://git.kernel.org/stable/c/103b16a8c51f96d5fe063022869ea906c256e5da
 	https://git.kernel.org/stable/c/1cb8444f3114f0bb2f6e3bcadcf09aa4a28425d4
 	https://git.kernel.org/stable/c/17691bada6b2f1d5f1c0f6d28cd9d0727023b0ff
 	https://git.kernel.org/stable/c/cfd0d84ba28c18b531648c9d4a35ecca89ad9901
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2021-46935: binder: fix async_free_space accounting for empty parcels

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	binder: fix async_free_space accounting for empty parcels

	In 4.13, commit 74310e06be4d ("android: binder: Move buffer out of area shared with user space")
	fixed a kernel structure visibility issue. As part of that patch,
	sizeof(void *) was used as the buffer size for 0-length data payloads so
	the driver could detect abusive clients sending 0-length asynchronous
	transactions to a server by enforcing limits on async_free_size.

	Unfortunately, on the "free" side, the accounting of async_free_space
	did not add the sizeof(void *) back. The result was that up to 8-bytes of
	async_free_space were leaked on every async transaction of 8-bytes or
	less. These small transactions are uncommon, so this accounting issue
	has gone undetected for several years.

	The fix is to use "buffer_size" (the allocated buffer size) instead of
	"size" (the logical buffer size) when updating the async_free_space
	during the free operation. These are the same except for this
	corner case of asynchronous transactions with payloads < 8 bytes.

	The Linux kernel CVE team has assigned CVE-2021-46935 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 4.14 with commit 74310e06be4d74dcf67cd108366710dee5c576d5 and fixed in 4.14.261 with commit 2d2df539d05205fd83c404d5f2dff48d36f9b495
	Issue introduced in 4.14 with commit 74310e06be4d74dcf67cd108366710dee5c576d5 and fixed in 4.19.224 with commit 7c7064402609aeb6fb11be1b4ec10673ff17b593
	Issue introduced in 4.14 with commit 74310e06be4d74dcf67cd108366710dee5c576d5 and fixed in 5.4.170 with commit 103b16a8c51f96d5fe063022869ea906c256e5da
	Issue introduced in 4.14 with commit 74310e06be4d74dcf67cd108366710dee5c576d5 and fixed in 5.10.90 with commit 1cb8444f3114f0bb2f6e3bcadcf09aa4a28425d4
	Issue introduced in 4.14 with commit 74310e06be4d74dcf67cd108366710dee5c576d5 and fixed in 5.15.13 with commit 17691bada6b2f1d5f1c0f6d28cd9d0727023b0ff
	Issue introduced in 4.14 with commit 74310e06be4d74dcf67cd108366710dee5c576d5 and fixed in 5.16 with commit cfd0d84ba28c18b531648c9d4a35ecca89ad9901

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2021-46935
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	drivers/android/binder_alloc.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/2d2df539d05205fd83c404d5f2dff48d36f9b495
	https://git.kernel.org/stable/c/7c7064402609aeb6fb11be1b4ec10673ff17b593
	https://git.kernel.org/stable/c/103b16a8c51f96d5fe063022869ea906c256e5da
	https://git.kernel.org/stable/c/1cb8444f3114f0bb2f6e3bcadcf09aa4a28425d4
	https://git.kernel.org/stable/c/17691bada6b2f1d5f1c0f6d28cd9d0727023b0ff
	https://git.kernel.org/stable/c/cfd0d84ba28c18b531648c9d4a35ecca89ad9901