CVE-2024-56555

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> binder: fix OOB in binder_add_freeze_work()<br /> <br /> In binder_add_freeze_work() we iterate over the proc-&gt;nodes with the<br /> proc-&gt;inner_lock held. However, this lock is temporarily dropped to<br /> acquire the node-&gt;lock first (lock nesting order). This can race with<br /> binder_deferred_release() which removes the nodes from the proc-&gt;nodes<br /> rbtree and adds them into binder_dead_nodes list. This leads to a broken<br /> iteration in binder_add_freeze_work() as rb_next() will use data from<br /> binder_dead_nodes, triggering an out-of-bounds access:<br /> <br /> ==================================================================<br /> BUG: KASAN: global-out-of-bounds in rb_next+0xfc/0x124<br /> Read of size 8 at addr ffffcb84285f7170 by task freeze/660<br /> <br /> CPU: 8 UID: 0 PID: 660 Comm: freeze Not tainted 6.11.0-07343-ga727812a8d45 #18<br /> Hardware name: linux,dummy-virt (DT)<br /> Call trace:<br /> rb_next+0xfc/0x124<br /> binder_add_freeze_work+0x344/0x534<br /> binder_ioctl+0x1e70/0x25ac<br /> __arm64_sys_ioctl+0x124/0x190<br /> <br /> The buggy address belongs to the variable:<br /> binder_dead_nodes+0x10/0x40<br /> [...]<br /> ==================================================================<br /> <br /> This is possible because proc-&gt;nodes (rbtree) and binder_dead_nodes<br /> (list) share entries in binder_node through a union:<br /> <br /> struct binder_node {<br /> [...]<br /> union {<br /> struct rb_node rb_node;<br /> struct hlist_node dead_node;<br /> };<br /> <br /> Fix the race by checking that the proc is still alive. If not, simply<br /> break out of the iteration.