CVE-2024-56556

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> binder: fix node UAF in binder_add_freeze_work()<br /> <br /> In binder_add_freeze_work() we iterate over the proc-&gt;nodes with the<br /> proc-&gt;inner_lock held. However, this lock is temporarily dropped in<br /> order to acquire the node-&gt;lock first (lock nesting order). This can<br /> race with binder_node_release() and trigger a use-after-free:<br /> <br /> ==================================================================<br /> BUG: KASAN: slab-use-after-free in _raw_spin_lock+0xe4/0x19c<br /> Write of size 4 at addr ffff53c04c29dd04 by task freeze/640<br /> <br /> CPU: 5 UID: 0 PID: 640 Comm: freeze Not tainted 6.11.0-07343-ga727812a8d45 #17<br /> Hardware name: linux,dummy-virt (DT)<br /> Call trace:<br /> _raw_spin_lock+0xe4/0x19c<br /> binder_add_freeze_work+0x148/0x478<br /> binder_ioctl+0x1e70/0x25ac<br /> __arm64_sys_ioctl+0x124/0x190<br /> <br /> Allocated by task 637:<br /> __kmalloc_cache_noprof+0x12c/0x27c<br /> binder_new_node+0x50/0x700<br /> binder_transaction+0x35ac/0x6f74<br /> binder_thread_write+0xfb8/0x42a0<br /> binder_ioctl+0x18f0/0x25ac<br /> __arm64_sys_ioctl+0x124/0x190<br /> <br /> Freed by task 637:<br /> kfree+0xf0/0x330<br /> binder_thread_read+0x1e88/0x3a68<br /> binder_ioctl+0x16d8/0x25ac<br /> __arm64_sys_ioctl+0x124/0x190<br /> ==================================================================<br /> <br /> Fix the race by taking a temporary reference on the node before<br /> releasing the proc-&gt;inner lock. This ensures the node remains alive<br /> while in use.