CVE-2024-56554

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> binder: fix freeze UAF in binder_release_work()<br /> <br /> When a binder reference is cleaned up, any freeze work queued in the<br /> associated process should also be removed. Otherwise, the reference is<br /> freed while its ref-&gt;freeze.work is still queued in proc-&gt;work leading<br /> to a use-after-free issue as shown by the following KASAN report:<br /> <br /> ==================================================================<br /> BUG: KASAN: slab-use-after-free in binder_release_work+0x398/0x3d0<br /> Read of size 8 at addr ffff31600ee91488 by task kworker/5:1/211<br /> <br /> CPU: 5 UID: 0 PID: 211 Comm: kworker/5:1 Not tainted 6.11.0-rc7-00382-gfc6c92196396 #22<br /> Hardware name: linux,dummy-virt (DT)<br /> Workqueue: events binder_deferred_func<br /> Call trace:<br /> binder_release_work+0x398/0x3d0<br /> binder_deferred_func+0xb60/0x109c<br /> process_one_work+0x51c/0xbd4<br /> worker_thread+0x608/0xee8<br /> <br /> Allocated by task 703:<br /> __kmalloc_cache_noprof+0x130/0x280<br /> binder_thread_write+0xdb4/0x42a0<br /> binder_ioctl+0x18f0/0x25ac<br /> __arm64_sys_ioctl+0x124/0x190<br /> invoke_syscall+0x6c/0x254<br /> <br /> Freed by task 211:<br /> kfree+0xc4/0x230<br /> binder_deferred_func+0xae8/0x109c<br /> process_one_work+0x51c/0xbd4<br /> worker_thread+0x608/0xee8<br /> ==================================================================<br /> <br /> This commit fixes the issue by ensuring any queued freeze work is removed<br /> when cleaning up a binder reference.