Bug 1935170 (CVE-2020-0423)

Summary: CVE-2020-0423 kernel: use-after-free in binder_release_work of binder.c due to improper locking may lead to local escalation of privilege
Product: [Other] Security Response Reporter: Marian Rehak <mrehak>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: acaringi, adscvr, airlied, alciregi, bdettelb, bhu, blc, bmasney, brdeoliv, bskeggs, chwhite, dhoward, dvlasenk, fhrbata, hdegoede, hkrzesin, jarodwilson, jeremy, jforbes, jglisse, jlelli, jonathan, josef, jshortt, jstancek, jwboyer, kcarcia, kernel-maint, kernel-mgr, lgoncalv, linville, masami256, mchehab, mlangsdo, nmurray, ptalbert, qzhao, rvrbovsk, steved, tomckay, walters, williams
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A use-after-free flaw was found in the binder_release_work of binder.c due to improper locking. This flaw can lead to the local escalation of privileges in the kernel where no additional execution privileges are needed. User interaction is not needed for exploitation. The highest threat to this vulnerability is to confidentiality, integrity, as well as system availability.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-03-04 14:20:15 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1935171    
Bug Blocks: 1935173    

Description Marian Rehak 2021-03-04 13:40:15 UTC 
In binder_release_work of binder.c, there is a possible use-after-free due to improper locking. This could lead to local escalation of privilege in the kernel with no additional execution privileges needed. User interaction is not needed for exploitation.

References:

https://source.android.com/security/bulletin/2020-10-01
Comment 1 Marian Rehak 2021-03-04 13:41:41 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1935171]
Comment 2 RaTasha Tillery-Smith 2021-03-04 14:04:11 UTC 
External References:

https://source.android.com/security/bulletin/2020-10-01
Comment 3 Justin M. Forbes 2021-03-04 15:21:34 UTC 
The android platform drivers are not enabled on Fedora.