CVE-2024-46740

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> binder: fix UAF caused by offsets overwrite<br /> <br /> Binder objects are processed and copied individually into the target<br /> buffer during transactions. Any raw data in-between these objects is<br /> copied as well. However, this raw data copy lacks an out-of-bounds<br /> check. If the raw data exceeds the data section size then the copy<br /> overwrites the offsets section. This eventually triggers an error that<br /> attempts to unwind the processed objects. However, at this point the<br /> offsets used to index these objects are now corrupted.<br /> <br /> Unwinding with corrupted offsets can result in decrements of arbitrary<br /> nodes and lead to their premature release. Other users of such nodes are<br /> left with a dangling pointer triggering a use-after-free. This issue is<br /> made evident by the following KASAN report (trimmed):<br /> <br /> ==================================================================<br /> BUG: KASAN: slab-use-after-free in _raw_spin_lock+0xe4/0x19c<br /> Write of size 4 at addr ffff47fc91598f04 by task binder-util/743<br /> <br /> CPU: 9 UID: 0 PID: 743 Comm: binder-util Not tainted 6.11.0-rc4 #1<br /> Hardware name: linux,dummy-virt (DT)<br /> Call trace:<br /> _raw_spin_lock+0xe4/0x19c<br /> binder_free_buf+0x128/0x434<br /> binder_thread_write+0x8a4/0x3260<br /> binder_ioctl+0x18f0/0x258c<br /> [...]<br /> <br /> Allocated by task 743:<br /> __kmalloc_cache_noprof+0x110/0x270<br /> binder_new_node+0x50/0x700<br /> binder_transaction+0x413c/0x6da8<br /> binder_thread_write+0x978/0x3260<br /> binder_ioctl+0x18f0/0x258c<br /> [...]<br /> <br /> Freed by task 745:<br /> kfree+0xbc/0x208<br /> binder_thread_read+0x1c5c/0x37d4<br /> binder_ioctl+0x16d8/0x258c<br /> [...]<br /> ==================================================================<br /> <br /> To avoid this issue, let&amp;#39;s check that the raw data copy is within the<br /> boundaries of the data section.