Bug 2139598 (CVE-2022-20421) - CVE-2022-20421 kernel: use after free in binder_inc_ref_for_node in drivers/android/binder.c due
Summary: CVE-2022-20421 kernel: use after free in binder_inc_ref_for_node in drivers/a...
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2022-20421
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: 2136006
TreeView+ depends on / blocked
 
Reported: 2022-11-03 04:28 UTC by Rohit Keshri
Modified: 2022-12-03 06:34 UTC (History)
52 users (show)

Fixed In Version: kernel 6.0 rc4
Doc Type: ---
Doc Text:
A vulnerability was found in the binder_inc_ref_for_node function in drivers/android/binder.c due to memory corruption, causing a use-after-free issue in the Linux kernel. This flaw could lead to local privilege escalation.
Clone Of:
Environment:
Last Closed: 2022-12-03 06:34:22 UTC


Attachments (Terms of Use)

Description Rohit Keshri 2022-11-03 04:28:13 UTC
A transaction of type BINDER_TYPE_WEAK_HANDLE can fail to increment the
reference for a node. In this case, the target proc normally releases
the failed reference upon close as expected. However, if the target is
dying in parallel the call will race with binder_deferred_release(), so
the target could have released all of its references by now leaving the
cleanup of the new failed reference unhandled.

The transaction then ends and the target proc gets released making the
ref->proc now a dangling pointer. Later on, ref->node is closed and we
attempt to take spin_lock(&ref->proc->inner_lock), which leads to the
use-after-free bug reported below. 

  ==================================================================
  BUG: KASAN: use-after-free in _raw_spin_lock+0xa8/0x150
  Write of size 4 at addr ffff5ca207094238 by task kworker/1:0/590

  CPU: 1 PID: 590 Comm: kworker/1:0 Not tainted 5.19.0-rc8 #10
  Hardware name: linux,dummy-virt (DT)
  Workqueue: events binder_deferred_func
  Call trace:
   dump_backtrace.part.0+0x1d0/0x1e0
   show_stack+0x18/0x70
   dump_stack_lvl+0x68/0x84
   print_report+0x2e4/0x61c
   kasan_report+0xa4/0x110
   kasan_check_range+0xfc/0x1a4
   __kasan_check_write+0x3c/0x50
   _raw_spin_lock+0xa8/0x150
   binder_deferred_func+0x5e0/0x9b0
   process_one_work+0x38c/0x5f0
   worker_thread+0x9c/0x694
   kthread+0x188/0x190
   ret_from_fork+0x10/0x20

Reference:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=a0e44c64b6061dda7e00b7c458e4523e2331b739

Comment 3 Rohit Keshri 2022-11-03 04:31:36 UTC
There was no shipped kernel version that was seen affected by this problem. These files are not built in our source code.

Comment 4 Product Security DevOps Team 2022-12-03 06:34:18 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-20421


Note You need to log in before you can comment on or make changes to this bug.