| { |
| "containers": { |
| "cna": { |
| "providerMetadata": { |
| "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" |
| }, |
| "descriptions": [ |
| { |
| "lang": "en", |
| "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbinder: fix UAF caused by offsets overwrite\n\nBinder objects are processed and copied individually into the target\nbuffer during transactions. Any raw data in-between these objects is\ncopied as well. However, this raw data copy lacks an out-of-bounds\ncheck. If the raw data exceeds the data section size then the copy\noverwrites the offsets section. This eventually triggers an error that\nattempts to unwind the processed objects. However, at this point the\noffsets used to index these objects are now corrupted.\n\nUnwinding with corrupted offsets can result in decrements of arbitrary\nnodes and lead to their premature release. Other users of such nodes are\nleft with a dangling pointer triggering a use-after-free. This issue is\nmade evident by the following KASAN report (trimmed):\n\n ==================================================================\n BUG: KASAN: slab-use-after-free in _raw_spin_lock+0xe4/0x19c\n Write of size 4 at addr ffff47fc91598f04 by task binder-util/743\n\n CPU: 9 UID: 0 PID: 743 Comm: binder-util Not tainted 6.11.0-rc4 #1\n Hardware name: linux,dummy-virt (DT)\n Call trace:\n _raw_spin_lock+0xe4/0x19c\n binder_free_buf+0x128/0x434\n binder_thread_write+0x8a4/0x3260\n binder_ioctl+0x18f0/0x258c\n [...]\n\n Allocated by task 743:\n __kmalloc_cache_noprof+0x110/0x270\n binder_new_node+0x50/0x700\n binder_transaction+0x413c/0x6da8\n binder_thread_write+0x978/0x3260\n binder_ioctl+0x18f0/0x258c\n [...]\n\n Freed by task 745:\n kfree+0xbc/0x208\n binder_thread_read+0x1c5c/0x37d4\n binder_ioctl+0x16d8/0x258c\n [...]\n ==================================================================\n\nTo avoid this issue, let's check that the raw data copy is within the\nboundaries of the data section." |
| } |
| ], |
| "affected": [ |
| { |
| "product": "Linux", |
| "vendor": "Linux", |
| "defaultStatus": "unaffected", |
| "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", |
| "programFiles": [ |
| "drivers/android/binder.c" |
| ], |
| "versions": [ |
| { |
| "version": "c056a6ba35e00ae943e377eb09abd77a6915b31a", |
| "lessThan": "5a32bfd23022ffa7e152f273fa3fa29befb7d929", |
| "status": "affected", |
| "versionType": "git" |
| }, |
| { |
| "version": "23e9d815fad84c1bee3742a8de4bd39510435362", |
| "lessThan": "3a8154bb4ab4a01390a3abf1e6afac296e037da4", |
| "status": "affected", |
| "versionType": "git" |
| }, |
| { |
| "version": "7a9ad4aceb0226b391c9d3b8e4ac2e7d438b6bde", |
| "lessThan": "eef79854a04feac5b861f94d7b19cbbe79874117", |
| "status": "affected", |
| "versionType": "git" |
| }, |
| { |
| "version": "6d98eb95b450a75adb4516a1d33652dc78d2b20c", |
| "lessThan": "4f79e0b80dc69bd5eaaed70f0df1b558728b4e59", |
| "status": "affected", |
| "versionType": "git" |
| }, |
| { |
| "version": "6d98eb95b450a75adb4516a1d33652dc78d2b20c", |
| "lessThan": "1f33d9f1d9ac3f0129f8508925000900c2fe5bb0", |
| "status": "affected", |
| "versionType": "git" |
| }, |
| { |
| "version": "6d98eb95b450a75adb4516a1d33652dc78d2b20c", |
| "lessThan": "109e845c1184c9f786d41516348ba3efd9112792", |
| "status": "affected", |
| "versionType": "git" |
| }, |
| { |
| "version": "6d98eb95b450a75adb4516a1d33652dc78d2b20c", |
| "lessThan": "4df153652cc46545722879415937582028c18af5", |
| "status": "affected", |
| "versionType": "git" |
| }, |
| { |
| "version": "66e12f5b3a9733f941893a00753b10498724607d", |
| "status": "affected", |
| "versionType": "git" |
| } |
| ] |
| }, |
| { |
| "product": "Linux", |
| "vendor": "Linux", |
| "defaultStatus": "affected", |
| "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", |
| "programFiles": [ |
| "drivers/android/binder.c" |
| ], |
| "versions": [ |
| { |
| "version": "5.17", |
| "status": "affected" |
| }, |
| { |
| "version": "0", |
| "lessThan": "5.17", |
| "status": "unaffected", |
| "versionType": "semver" |
| }, |
| { |
| "version": "5.4.284", |
| "lessThanOrEqual": "5.4.*", |
| "status": "unaffected", |
| "versionType": "semver" |
| }, |
| { |
| "version": "5.10.226", |
| "lessThanOrEqual": "5.10.*", |
| "status": "unaffected", |
| "versionType": "semver" |
| }, |
| { |
| "version": "5.15.167", |
| "lessThanOrEqual": "5.15.*", |
| "status": "unaffected", |
| "versionType": "semver" |
| }, |
| { |
| "version": "6.1.110", |
| "lessThanOrEqual": "6.1.*", |
| "status": "unaffected", |
| "versionType": "semver" |
| }, |
| { |
| "version": "6.6.51", |
| "lessThanOrEqual": "6.6.*", |
| "status": "unaffected", |
| "versionType": "semver" |
| }, |
| { |
| "version": "6.10.10", |
| "lessThanOrEqual": "6.10.*", |
| "status": "unaffected", |
| "versionType": "semver" |
| }, |
| { |
| "version": "6.11", |
| "lessThanOrEqual": "*", |
| "status": "unaffected", |
| "versionType": "original_commit_for_fix" |
| } |
| ] |
| } |
| ], |
| "cpeApplicability": [ |
| { |
| "nodes": [ |
| { |
| "operator": "OR", |
| "negate": false, |
| "cpeMatch": [ |
| { |
| "vulnerable": true, |
| "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", |
| "versionStartIncluding": "5.4.226", |
| "versionEndExcluding": "5.4.284" |
| }, |
| { |
| "vulnerable": true, |
| "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", |
| "versionStartIncluding": "5.10.157", |
| "versionEndExcluding": "5.10.226" |
| }, |
| { |
| "vulnerable": true, |
| "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", |
| "versionStartIncluding": "5.15.17", |
| "versionEndExcluding": "5.15.167" |
| }, |
| { |
| "vulnerable": true, |
| "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", |
| "versionStartIncluding": "5.17", |
| "versionEndExcluding": "6.1.110" |
| }, |
| { |
| "vulnerable": true, |
| "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", |
| "versionStartIncluding": "5.17", |
| "versionEndExcluding": "6.6.51" |
| }, |
| { |
| "vulnerable": true, |
| "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", |
| "versionStartIncluding": "5.17", |
| "versionEndExcluding": "6.10.10" |
| }, |
| { |
| "vulnerable": true, |
| "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", |
| "versionStartIncluding": "5.17", |
| "versionEndExcluding": "6.11" |
| }, |
| { |
| "vulnerable": true, |
| "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", |
| "versionStartIncluding": "5.16.3" |
| } |
| ] |
| } |
| ] |
| } |
| ], |
| "references": [ |
| { |
| "url": "https://git.kernel.org/stable/c/5a32bfd23022ffa7e152f273fa3fa29befb7d929" |
| }, |
| { |
| "url": "https://git.kernel.org/stable/c/3a8154bb4ab4a01390a3abf1e6afac296e037da4" |
| }, |
| { |
| "url": "https://git.kernel.org/stable/c/eef79854a04feac5b861f94d7b19cbbe79874117" |
| }, |
| { |
| "url": "https://git.kernel.org/stable/c/4f79e0b80dc69bd5eaaed70f0df1b558728b4e59" |
| }, |
| { |
| "url": "https://git.kernel.org/stable/c/1f33d9f1d9ac3f0129f8508925000900c2fe5bb0" |
| }, |
| { |
| "url": "https://git.kernel.org/stable/c/109e845c1184c9f786d41516348ba3efd9112792" |
| }, |
| { |
| "url": "https://git.kernel.org/stable/c/4df153652cc46545722879415937582028c18af5" |
| } |
| ], |
| "title": "binder: fix UAF caused by offsets overwrite", |
| "x_generator": { |
| "engine": "bippy-1.2.0" |
| } |
| } |
| }, |
| "cveMetadata": { |
| "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", |
| "cveID": "CVE-2024-46740", |
| "requesterUserId": "gregkh@kernel.org", |
| "serial": "1", |
| "state": "PUBLISHED" |
| }, |
| "dataType": "CVE_RECORD", |
| "dataVersion": "5.0" |
| } |
