CVE-2025-40028
Gravedad:
Pendiente de análisis
Tipo:
No Disponible / Otro tipo
Fecha de publicación:
28/10/2025
Última modificación:
30/10/2025
Descripción
*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
binder: fix double-free in dbitmap<br />
<br />
A process might fail to allocate a new bitmap when trying to expand its<br />
proc->dmap. In that case, dbitmap_grow() fails and frees the old bitmap<br />
via dbitmap_free(). However, the driver calls dbitmap_free() again when<br />
the same process terminates, leading to a double-free error:<br />
<br />
==================================================================<br />
BUG: KASAN: double-free in binder_proc_dec_tmpref+0x2e0/0x55c<br />
Free of addr ffff00000b7c1420 by task kworker/9:1/209<br />
<br />
CPU: 9 UID: 0 PID: 209 Comm: kworker/9:1 Not tainted 6.17.0-rc6-dirty #5 PREEMPT<br />
Hardware name: linux,dummy-virt (DT)<br />
Workqueue: events binder_deferred_func<br />
Call trace:<br />
kfree+0x164/0x31c<br />
binder_proc_dec_tmpref+0x2e0/0x55c<br />
binder_deferred_func+0xc24/0x1120<br />
process_one_work+0x520/0xba4<br />
[...]<br />
<br />
Allocated by task 448:<br />
__kmalloc_noprof+0x178/0x3c0<br />
bitmap_zalloc+0x24/0x30<br />
binder_open+0x14c/0xc10<br />
[...]<br />
<br />
Freed by task 449:<br />
kfree+0x184/0x31c<br />
binder_inc_ref_for_node+0xb44/0xe44<br />
binder_transaction+0x29b4/0x7fbc<br />
binder_thread_write+0x1708/0x442c<br />
binder_ioctl+0x1b50/0x2900<br />
[...]<br />
==================================================================<br />
<br />
Fix this issue by marking proc->map NULL in dbitmap_free().