Headline
CVE-2023-21255
In multiple functions of binder.c, there is a possible memory corruption due to a use after free. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
)]}’ { "commit": "1ca1130ec62da7638497478539c0f55ffbbf9a5e", "tree": "7b67b03be07e15952f02d3e0c0b822b76f75c033", "parents": [ “2431799f21a1a1edb180876ff4d8a6d9d66deef5” ], "author": { "name": "Carlos Llamas", "email": "[email protected]", "time": “Fri May 05 06:48:10 2023 +0000” }, "committer": { "name": "Treehugger Robot", "email": "[email protected]", "time": “Fri May 05 23:19:06 2023 +0000” }, “message": “FROMLIST: binder: fix UAF caused by faulty buffer cleanup\n\nIn binder_transaction_buffer_release() the \u0027failed_at\u0027 offset indicates\nthe number of objects to clean up. However, this function was changed by\ncommit 44d8047f1d87 (\"binder: use standard functions to allocate fds\”),\nto release all the objects in the buffer when \u0027failed_at\u0027 is zero.\n\nThis introduced an issue when a transaction buffer is released without\nany objects having been processed so far. In this case, \u0027failed_at\u0027 is\nindeed zero yet it is misinterpreted as releasing the entire buffer.\n\nThis leads to use-after-free errors where nodes are incorrectly freed\nand subsequently accessed. Such is the case in the following KASAN\nreport:\n\n \u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\n BUG: KASAN: slab-use-after-free in binder_thread_read+0xc40/0x1f30\n Read of size 8 at addr ffff4faf037cfc58 by task poc/474\n\n CPU: 6 PID: 474 Comm: poc Not tainted 6.3.0-12570-g7df047b3f0aa #5\n Hardware name: linux,dummy-virt (DT)\n Call trace:\n dump_backtrace+0x94/0xec\n show_stack+0x18/0x24\n dump_stack_lvl+0x48/0x60\n print_report+0xf8/0x5b8\n kasan_report+0xb8/0xfc\n __asan_load8+0x9c/0xb8\n binder_thread_read+0xc40/0x1f30\n binder_ioctl+0xd9c/0x1768\n __arm64_sys_ioctl+0xd4/0x118\n invoke_syscall+0x60/0x188\n […]\n\n Allocated by task 474:\n kasan_save_stack+0x3c/0x64\n kasan_set_track+0x2c/0x40\n kasan_save_alloc_info+0x24/0x34\n __kasan_kmalloc+0xb8/0xbc\n kmalloc_trace+0x48/0x5c\n binder_new_node+0x3c/0x3a4\n binder_transaction+0x2b58/0x36f0\n binder_thread_write+0x8e0/0x1b78\n binder_ioctl+0x14a0/0x1768\n __arm64_sys_ioctl+0xd4/0x118\n invoke_syscall+0x60/0x188\n […]\n\n Freed by task 475:\n kasan_save_stack+0x3c/0x64\n kasan_set_track+0x2c/0x40\n kasan_save_free_info+0x38/0x5c\n __kasan_slab_free+0xe8/0x154\n __kmem_cache_free+0x128/0x2bc\n kfree+0x58/0x70\n binder_dec_node_tmpref+0x178/0x1fc\n binder_transaction_buffer_release+0x430/0x628\n binder_transaction+0x1954/0x36f0\n binder_thread_write+0x8e0/0x1b78\n binder_ioctl+0x14a0/0x1768\n __arm64_sys_ioctl+0xd4/0x118\n invoke_syscall+0x60/0x188\n […]\n \u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\n\nIn order to avoid these issues, let\u0027s always calculate the intended\n\u0027failed_at\u0027 offset beforehand. This is renamed and wrapped in a helper\nfunction to make it clear and convenient.\n\nFixes: 32e9f56a96d8 (\"binder: don\u0027t detect sender/target during buffer cleanup\”)\nReported-by: Zi Fan Tan \[email protected]\u003e\nLink: https://b.corp.google.com/issues/275041864\nCc: [email protected]\nSigned-off-by: Carlos Llamas \[email protected]\u003e\n\nBug: 275041864\nLink: https://lore.kernel.org/all/[email protected]\nChange-Id: I4bcc8bde77a8118872237d100cccb5caf95d99a1\nSigned-off-by: Carlos Llamas \[email protected]\u003e\n", "tree_diff": [ { "type": "modify", "old_id": "7d784e263d28338b3b629c011ab82b7d873ab4d5", "old_mode": 33188, "old_path": "drivers/android/binder.c", "new_id": "15ae88216c51e49180b96e3b55e35058ebaa6c87", "new_mode": 33188, "new_path": “drivers/android/binder.c” } ] }
Related news
Ubuntu Security Notice 6397-1 - Daniel Moghimi discovered that some Intel Processors did not properly clear microarchitectural state after speculative execution of various instructions. A local unprivileged user could use this to obtain to sensitive information. Ruihan Li discovered that the bluetooth subsystem in the Linux kernel did not properly perform permissions checks when handling HCI sockets. A physically proximate attacker could use this to cause a denial of service.
Ubuntu Security Notice 6339-3 - It was discovered that the NTFS file system implementation in the Linux kernel did not properly validate MFT flags in certain situations. An attacker could use this to construct a malicious NTFS image that, when mounted and operated on, could cause a denial of service. Zi Fan Tan discovered that the binder IPC implementation in the Linux kernel contained a use-after-free vulnerability. A local attacker could use this to cause a denial of service or possibly execute arbitrary code.
Ubuntu Security Notice 6357-1 - Daniel Moghimi discovered that some Intel Processors did not properly clear microarchitectural state after speculative execution of various instructions. A local unprivileged user could use this to obtain to sensitive information. Ruihan Li discovered that the bluetooth subsystem in the Linux kernel did not properly perform permissions checks when handling HCI sockets. A physically proximate attacker could use this to cause a denial of service.
Ubuntu Security Notice 6338-2 - Zi Fan Tan discovered that the binder IPC implementation in the Linux kernel contained a use-after-free vulnerability. A local attacker could use this to cause a denial of service or possibly execute arbitrary code. It was discovered that a race condition existed in the f2fs file system in the Linux kernel, leading to a null pointer dereference vulnerability. An attacker could use this to construct a malicious f2fs image that, when mounted and operated on, could cause a denial of service.
Ubuntu Security Notice 6339-2 - It was discovered that the NTFS file system implementation in the Linux kernel did not properly validate MFT flags in certain situations. An attacker could use this to construct a malicious NTFS image that, when mounted and operated on, could cause a denial of service. Zi Fan Tan discovered that the binder IPC implementation in the Linux kernel contained a use-after-free vulnerability. A local attacker could use this to cause a denial of service or possibly execute arbitrary code.
Ubuntu Security Notice 6351-1 - It was discovered that the NTFS file system implementation in the Linux kernel did not properly validate MFT flags in certain situations. An attacker could use this to construct a malicious NTFS image that, when mounted and operated on, could cause a denial of service. Zi Fan Tan discovered that the binder IPC implementation in the Linux kernel contained a use-after-free vulnerability. A local attacker could use this to cause a denial of service or possibly execute arbitrary code.
Ubuntu Security Notice 6350-1 - It was discovered that the NTFS file system implementation in the Linux kernel did not properly validate MFT flags in certain situations. An attacker could use this to construct a malicious NTFS image that, when mounted and operated on, could cause a denial of service. Zi Fan Tan discovered that the binder IPC implementation in the Linux kernel contained a use-after-free vulnerability. A local attacker could use this to cause a denial of service or possibly execute arbitrary code.
Ubuntu Security Notice 6349-1 - Ruihan Li discovered that the bluetooth subsystem in the Linux kernel did not properly perform permissions checks when handling HCI sockets. A physically proximate attacker could use this to cause a denial of service. Zi Fan Tan discovered that the binder IPC implementation in the Linux kernel contained a use-after-free vulnerability. A local attacker could use this to cause a denial of service or possibly execute arbitrary code.
Ubuntu Security Notice 6344-1 - Zi Fan Tan discovered that the binder IPC implementation in the Linux kernel contained a use-after-free vulnerability. A local attacker could use this to cause a denial of service or possibly execute arbitrary code. It was discovered that a race condition existed in the f2fs file system in the Linux kernel, leading to a null pointer dereference vulnerability. An attacker could use this to construct a malicious f2fs image that, when mounted and operated on, could cause a denial of service.
Ubuntu Security Notice 6340-1 - Ruihan Li discovered that the bluetooth subsystem in the Linux kernel did not properly perform permissions checks when handling HCI sockets. A physically proximate attacker could use this to cause a denial of service. Zi Fan Tan discovered that the binder IPC implementation in the Linux kernel contained a use-after-free vulnerability. A local attacker could use this to cause a denial of service or possibly execute arbitrary code.
Ubuntu Security Notice 6339-1 - It was discovered that the NTFS file system implementation in the Linux kernel did not properly validate MFT flags in certain situations. An attacker could use this to construct a malicious NTFS image that, when mounted and operated on, could cause a denial of service. Zi Fan Tan discovered that the binder IPC implementation in the Linux kernel contained a use-after-free vulnerability. A local attacker could use this to cause a denial of service or possibly execute arbitrary code.
Ubuntu Security Notice 6338-1 - Zi Fan Tan discovered that the binder IPC implementation in the Linux kernel contained a use-after-free vulnerability. A local attacker could use this to cause a denial of service or possibly execute arbitrary code. It was discovered that a race condition existed in the f2fs file system in the Linux kernel, leading to a null pointer dereference vulnerability. An attacker could use this to construct a malicious f2fs image that, when mounted and operated on, could cause a denial of service.
Debian Linux Security Advisory 5480-1 - Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks.