CVE-2024-56555: binder: fix OOB in binder_add_freeze_work()
First published: Fri Dec 27 2024(Updated: )
In the Linux kernel, the following vulnerability has been resolved: binder: fix OOB in binder_add_freeze_work() In binder_add_freeze_work() we iterate over the proc->nodes with the proc->inner_lock held. However, this lock is temporarily dropped to acquire the node->lock first (lock nesting order). This can race with binder_deferred_release() which removes the nodes from the proc->nodes rbtree and adds them into binder_dead_nodes list. This leads to a broken iteration in binder_add_freeze_work() as rb_next() will use data from binder_dead_nodes, triggering an out-of-bounds access: ================================================================== BUG: KASAN: global-out-of-bounds in rb_next+0xfc/0x124 Read of size 8 at addr ffffcb84285f7170 by task freeze/660 CPU: 8 UID: 0 PID: 660 Comm: freeze Not tainted 6.11.0-07343-ga727812a8d45 #18 Hardware name: linux,dummy-virt (DT) Call trace: rb_next+0xfc/0x124 binder_add_freeze_work+0x344/0x534 binder_ioctl+0x1e70/0x25ac __arm64_sys_ioctl+0x124/0x190 The buggy address belongs to the variable: binder_dead_nodes+0x10/0x40 [...] ================================================================== This is possible because proc->nodes (rbtree) and binder_dead_nodes (list) share entries in binder_node through a union: struct binder_node { [...] union { struct rb_node rb_node; struct hlist_node dead_node; }; Fix the race by checking that the proc is still alive. If not, simply break out of the iteration.
Credit: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Red Hat Kernel-devel | ||
| >=6.12<6.12.4 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2024-56555?
The severity of CVE-2024-56555 is considered moderate due to potential out-of-bounds access affecting system stability.
How do I fix CVE-2024-56555?
To fix CVE-2024-56555, you should update to a patched version of the Linux kernel that resolves the vulnerability.
What types of systems are affected by CVE-2024-56555?
CVE-2024-56555 affects Linux kernel versions between 6.12 and 6.12.4, particularly in systems using the Red Hat Kernel-devel.
Is CVE-2024-56555 a remote vulnerability?
CVE-2024-56555 is not a remote vulnerability but could lead to local exploitation if an attacker has access to the affected system.
What specific code component does CVE-2024-56555 involve?
CVE-2024-56555 involves the binder_add_freeze_work function in the Linux kernel, which has a temporary lock drop issue.
- agent/references
- agent/title
- agent/description
- agent/first-publish-date
- agent/type
- agent/author
- agent/event
- agent/source
- collector/mitre-cve
- source/MITRE
- agent/guess-ai
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- agent/last-modified-date
- agent/weakness
- agent/remedy
- agent/severity
- agent/softwarecombine
- agent/tags
- collector/nvd-api
- source/NVD
- vendor/linux
- canonical/red hat kernel-devel