CVE-2025-38175

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> binder: fix yet another UAF in binder_devices<br /> <br /> Commit e77aff5528a18 ("binderfs: fix use-after-free in binder_devices")<br /> addressed a use-after-free where devices could be released without first<br /> being removed from the binder_devices list. However, there is a similar<br /> path in binder_free_proc() that was missed:<br /> <br /> ==================================================================<br /> BUG: KASAN: slab-use-after-free in binder_remove_device+0xd4/0x100<br /> Write of size 8 at addr ffff0000c773b900 by task umount/467<br /> CPU: 12 UID: 0 PID: 467 Comm: umount Not tainted 6.15.0-rc7-00138-g57483a362741 #9 PREEMPT<br /> Hardware name: linux,dummy-virt (DT)<br /> Call trace:<br /> binder_remove_device+0xd4/0x100<br /> binderfs_evict_inode+0x230/0x2f0<br /> evict+0x25c/0x5dc<br /> iput+0x304/0x480<br /> dentry_unlink_inode+0x208/0x46c<br /> __dentry_kill+0x154/0x530<br /> [...]<br /> <br /> Allocated by task 463:<br /> __kmalloc_cache_noprof+0x13c/0x324<br /> binderfs_binder_device_create.isra.0+0x138/0xa60<br /> binder_ctl_ioctl+0x1ac/0x230<br /> [...]<br /> <br /> Freed by task 215:<br /> kfree+0x184/0x31c<br /> binder_proc_dec_tmpref+0x33c/0x4ac<br /> binder_deferred_func+0xc10/0x1108<br /> process_one_work+0x520/0xba4<br /> [...]<br /> ==================================================================<br /> <br /> Call binder_remove_device() within binder_free_proc() to ensure the<br /> device is removed from the binder_devices list before being kfreed.