blob: 3459320fcfb87b05d4648c682c71f5e7ab82ac4e (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
|
Description: binder: fix UAF of alloc->vma in race with munmap()
References:
https://android.googlesource.com/kernel/common/+/201d5f4a3ec1
https://source.android.com/docs/security/bulletin/2023-01-01
https://bugs.chromium.org/p/project-zero/issues/detail?id=2374
Notes:
carnil> As noted in the commit: Note this patch is specific to stable
carnil> branches 5.4 and 5.10. Since in newer kernel releases binder no
carnil> longer caches a pointer to the vma. Instead, it has been
carnil> refactored to use vma_lookup() which avoids the issue described
carnil> here. This switch was introduced in commit a43cfc87caaf
carnil> ("android: binder: stop saving a pointer to the VMA").
Bugs:
upstream: released (6.0-rc1) [a43cfc87caaf46710c8027a8c23b8a55f1078f19]
5.10-upstream-stable: released (5.10.154) [015ac18be7de25d17d6e5f1643cb3b60bfbe859e]
4.19-upstream-stable: N/A "Vulnerable code introduced later"
sid: released (5.19.6-1)
5.10-bullseye-security: released (5.10.158-1)
4.19-buster-security: N/A "Vulnerable code introduced later"
|
