cve/published/2024/CVE-2024-26926.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-26926: binder: check offset alignment in binder_get_object()

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 binder: check offset alignment in binder_get_object()

 Commit 6d98eb95b450 ("binder: avoid potential data leakage when copying
 txn") introduced changes to how binder objects are copied. In doing so,
 it unintentionally removed an offset alignment check done through calls
 to binder_alloc_copy_from_buffer() -> check_buffer().

 These calls were replaced in binder_get_object() with copy_from_user(),
 so now an explicit offset alignment check is needed here. This avoids
 later complications when unwinding the objects gets harder.

 It is worth noting this check existed prior to commit 7a67a39320df
 ("binder: add function to copy binder object from buffer"), likely
 removed due to redundancy at the time.

 The Linux kernel CVE team has assigned CVE-2024-26926 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 5.4.226 with commit c056a6ba35e00ae943e377eb09abd77a6915b31a and fixed in 5.4.275 with commit 68a28f551e4690db2b27b3db716c7395f6fada12
 	Issue introduced in 5.10.157 with commit 23e9d815fad84c1bee3742a8de4bd39510435362 and fixed in 5.10.216 with commit 48a1f83ca9c68518b1a783c62e6a8223144fa9fc
 	Issue introduced in 5.15.17 with commit 7a9ad4aceb0226b391c9d3b8e4ac2e7d438b6bde and fixed in 5.15.157 with commit a2fd6dbc98be1105a1d8e9e31575da8873ef115c
 	Issue introduced in 5.17 with commit 6d98eb95b450a75adb4516a1d33652dc78d2b20c and fixed in 6.1.88 with commit a6d2a8b211c874971ee4cf3ddd167408177f6e76
 	Issue introduced in 5.17 with commit 6d98eb95b450a75adb4516a1d33652dc78d2b20c and fixed in 6.6.29 with commit 1d7f1049035b2060342f11eff957cf567d810bdc
 	Issue introduced in 5.17 with commit 6d98eb95b450a75adb4516a1d33652dc78d2b20c and fixed in 6.8.8 with commit f01d6619045704d78613b14e2e0420bfdb7f1c15
 	Issue introduced in 5.17 with commit 6d98eb95b450a75adb4516a1d33652dc78d2b20c and fixed in 6.9 with commit aaef73821a3b0194a01bd23ca77774f704a04d40
 	Issue introduced in 5.16.3 with commit 66e12f5b3a9733f941893a00753b10498724607d

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-26926
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	drivers/android/binder.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/68a28f551e4690db2b27b3db716c7395f6fada12
 	https://git.kernel.org/stable/c/48a1f83ca9c68518b1a783c62e6a8223144fa9fc
 	https://git.kernel.org/stable/c/a2fd6dbc98be1105a1d8e9e31575da8873ef115c
 	https://git.kernel.org/stable/c/a6d2a8b211c874971ee4cf3ddd167408177f6e76
 	https://git.kernel.org/stable/c/1d7f1049035b2060342f11eff957cf567d810bdc
 	https://git.kernel.org/stable/c/f01d6619045704d78613b14e2e0420bfdb7f1c15
 	https://git.kernel.org/stable/c/aaef73821a3b0194a01bd23ca77774f704a04d40
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-26926: binder: check offset alignment in binder_get_object()

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	binder: check offset alignment in binder_get_object()

	Commit 6d98eb95b450 ("binder: avoid potential data leakage when copying
	txn") introduced changes to how binder objects are copied. In doing so,
	it unintentionally removed an offset alignment check done through calls
	to binder_alloc_copy_from_buffer() -> check_buffer().

	These calls were replaced in binder_get_object() with copy_from_user(),
	so now an explicit offset alignment check is needed here. This avoids
	later complications when unwinding the objects gets harder.

	It is worth noting this check existed prior to commit 7a67a39320df
	("binder: add function to copy binder object from buffer"), likely
	removed due to redundancy at the time.

	The Linux kernel CVE team has assigned CVE-2024-26926 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 5.4.226 with commit c056a6ba35e00ae943e377eb09abd77a6915b31a and fixed in 5.4.275 with commit 68a28f551e4690db2b27b3db716c7395f6fada12
	Issue introduced in 5.10.157 with commit 23e9d815fad84c1bee3742a8de4bd39510435362 and fixed in 5.10.216 with commit 48a1f83ca9c68518b1a783c62e6a8223144fa9fc
	Issue introduced in 5.15.17 with commit 7a9ad4aceb0226b391c9d3b8e4ac2e7d438b6bde and fixed in 5.15.157 with commit a2fd6dbc98be1105a1d8e9e31575da8873ef115c
	Issue introduced in 5.17 with commit 6d98eb95b450a75adb4516a1d33652dc78d2b20c and fixed in 6.1.88 with commit a6d2a8b211c874971ee4cf3ddd167408177f6e76
	Issue introduced in 5.17 with commit 6d98eb95b450a75adb4516a1d33652dc78d2b20c and fixed in 6.6.29 with commit 1d7f1049035b2060342f11eff957cf567d810bdc
	Issue introduced in 5.17 with commit 6d98eb95b450a75adb4516a1d33652dc78d2b20c and fixed in 6.8.8 with commit f01d6619045704d78613b14e2e0420bfdb7f1c15
	Issue introduced in 5.17 with commit 6d98eb95b450a75adb4516a1d33652dc78d2b20c and fixed in 6.9 with commit aaef73821a3b0194a01bd23ca77774f704a04d40
	Issue introduced in 5.16.3 with commit 66e12f5b3a9733f941893a00753b10498724607d

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-26926
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	drivers/android/binder.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/68a28f551e4690db2b27b3db716c7395f6fada12
	https://git.kernel.org/stable/c/48a1f83ca9c68518b1a783c62e6a8223144fa9fc
	https://git.kernel.org/stable/c/a2fd6dbc98be1105a1d8e9e31575da8873ef115c
	https://git.kernel.org/stable/c/a6d2a8b211c874971ee4cf3ddd167408177f6e76
	https://git.kernel.org/stable/c/1d7f1049035b2060342f11eff957cf567d810bdc
	https://git.kernel.org/stable/c/f01d6619045704d78613b14e2e0420bfdb7f1c15
	https://git.kernel.org/stable/c/aaef73821a3b0194a01bd23ca77774f704a04d40