high
7.8
CWE
416
Advisory Published
Updated

CVE-2024-46740: binder: fix UAF caused by offsets overwrite

First published: Wed Sep 18 2024(Updated: )

In the Linux kernel, the following vulnerability has been resolved: binder: fix UAF caused by offsets overwrite Binder objects are processed and copied individually into the target buffer during transactions. Any raw data in-between these objects is copied as well. However, this raw data copy lacks an out-of-bounds check. If the raw data exceeds the data section size then the copy overwrites the offsets section. This eventually triggers an error that attempts to unwind the processed objects. However, at this point the offsets used to index these objects are now corrupted. Unwinding with corrupted offsets can result in decrements of arbitrary nodes and lead to their premature release. Other users of such nodes are left with a dangling pointer triggering a use-after-free. This issue is made evident by the following KASAN report (trimmed): ================================================================== BUG: KASAN: slab-use-after-free in _raw_spin_lock+0xe4/0x19c Write of size 4 at addr ffff47fc91598f04 by task binder-util/743 CPU: 9 UID: 0 PID: 743 Comm: binder-util Not tainted 6.11.0-rc4 #1 Hardware name: linux,dummy-virt (DT) Call trace: _raw_spin_lock+0xe4/0x19c binder_free_buf+0x128/0x434 binder_thread_write+0x8a4/0x3260 binder_ioctl+0x18f0/0x258c [...] Allocated by task 743: __kmalloc_cache_noprof+0x110/0x270 binder_new_node+0x50/0x700 binder_transaction+0x413c/0x6da8 binder_thread_write+0x978/0x3260 binder_ioctl+0x18f0/0x258c [...] Freed by task 745: kfree+0xbc/0x208 binder_thread_read+0x1c5c/0x37d4 binder_ioctl+0x16d8/0x258c [...] ================================================================== To avoid this issue, let's check that the raw data copy is within the boundaries of the data section.

Credit: 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67

Affected SoftwareAffected VersionHow to fix
Linux Linux kernel>=5.4.226<5.4.284
Linux Linux kernel>=5.10.157<5.10.226
Linux Linux kernel>=5.15.17<5.15.167
Linux Linux kernel>=5.17<6.1.110
Linux Linux kernel>=6.2<6.6.51
Linux Linux kernel>=6.7<6.10.10
Linux Linux kernel=6.11-rc1
Linux Linux kernel=6.11-rc2
Linux Linux kernel=6.11-rc3
Linux Linux kernel=6.11-rc4
Linux Linux kernel=6.11-rc5
Linux Linux kernel=6.11-rc6
Google Android
debian/linux<=5.10.223-1
5.10.226-1
6.1.115-1
6.1.112-1
6.11.7-1

Remedy

https://git.kernel.org/stable/c/109e845c1184c9f786d41516348ba3efd9112792

Remedy

https://git.kernel.org/stable/c/1f33d9f1d9ac3f0129f8508925000900c2fe5bb0

Remedy

https://git.kernel.org/stable/c/3a8154bb4ab4a01390a3abf1e6afac296e037da4

Remedy

https://git.kernel.org/stable/c/4df153652cc46545722879415937582028c18af5

Remedy

https://git.kernel.org/stable/c/4f79e0b80dc69bd5eaaed70f0df1b558728b4e59

Remedy

https://git.kernel.org/stable/c/5a32bfd23022ffa7e152f273fa3fa29befb7d929

Remedy

https://git.kernel.org/stable/c/eef79854a04feac5b861f94d7b19cbbe79874117

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

Reference Links

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2024 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203