CVE-2022-49939

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> binder: fix UAF of ref-&gt;proc caused by race condition<br /> <br /> A transaction of type BINDER_TYPE_WEAK_HANDLE can fail to increment the<br /> reference for a node. In this case, the target proc normally releases<br /> the failed reference upon close as expected. However, if the target is<br /> dying in parallel the call will race with binder_deferred_release(), so<br /> the target could have released all of its references by now leaving the<br /> cleanup of the new failed reference unhandled.<br /> <br /> The transaction then ends and the target proc gets released making the<br /> ref-&gt;proc now a dangling pointer. Later on, ref-&gt;node is closed and we<br /> attempt to take spin_lock(&amp;ref-&gt;proc-&gt;inner_lock), which leads to the<br /> use-after-free bug reported below. Let&amp;#39;s fix this by cleaning up the<br /> failed reference on the spot instead of relying on the target to do so.<br /> <br /> ==================================================================<br /> BUG: KASAN: use-after-free in _raw_spin_lock+0xa8/0x150<br /> Write of size 4 at addr ffff5ca207094238 by task kworker/1:0/590<br /> <br /> CPU: 1 PID: 590 Comm: kworker/1:0 Not tainted 5.19.0-rc8 #10<br /> Hardware name: linux,dummy-virt (DT)<br /> Workqueue: events binder_deferred_func<br /> Call trace:<br /> dump_backtrace.part.0+0x1d0/0x1e0<br /> show_stack+0x18/0x70<br /> dump_stack_lvl+0x68/0x84<br /> print_report+0x2e4/0x61c<br /> kasan_report+0xa4/0x110<br /> kasan_check_range+0xfc/0x1a4<br /> __kasan_check_write+0x3c/0x50<br /> _raw_spin_lock+0xa8/0x150<br /> binder_deferred_func+0x5e0/0x9b0<br /> process_one_work+0x38c/0x5f0<br /> worker_thread+0x9c/0x694<br /> kthread+0x188/0x190<br /> ret_from_fork+0x10/0x20