cve/2024/CVE-2024-56555.md

### [CVE-2024-56555](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-56555)
![](https://img.shields.io/static/v1?label=Product&message=Linux&color=blue)
![](https://img.shields.io/static/v1?label=Version&message=d579b04a52a183db47dfcb7a44304d7747d551e1%3C%206b1be1da1f8279cf091266e71b5153c5b02aaff6%20&color=brighgreen)
![](https://img.shields.io/static/v1?label=Vulnerability&message=n%2Fa&color=brighgreen)

### Description

In the Linux kernel, the following vulnerability has been resolved:binder: fix OOB in binder_add_freeze_work()In binder_add_freeze_work() we iterate over the proc->nodes with theproc->inner_lock held. However, this lock is temporarily dropped toacquire the node->lock first (lock nesting order). This can race withbinder_deferred_release() which removes the nodes from the proc->nodesrbtree and adds them into binder_dead_nodes list. This leads to a brokeniteration in binder_add_freeze_work() as rb_next() will use data frombinder_dead_nodes, triggering an out-of-bounds access:  ==================================================================  BUG: KASAN: global-out-of-bounds in rb_next+0xfc/0x124  Read of size 8 at addr ffffcb84285f7170 by task freeze/660  CPU: 8 UID: 0 PID: 660 Comm: freeze Not tainted 6.11.0-07343-ga727812a8d45 #18  Hardware name: linux,dummy-virt (DT)  Call trace:   rb_next+0xfc/0x124   binder_add_freeze_work+0x344/0x534   binder_ioctl+0x1e70/0x25ac   __arm64_sys_ioctl+0x124/0x190  The buggy address belongs to the variable:   binder_dead_nodes+0x10/0x40  [...]  ==================================================================This is possible because proc->nodes (rbtree) and binder_dead_nodes(list) share entries in binder_node through a union:	struct binder_node {	[...]		union {			struct rb_node rb_node;			struct hlist_node dead_node;		};Fix the race by checking that the proc is still alive. If not, simplybreak out of the iteration.

### POC

#### Reference
No PoCs from references.

#### Github
- https://github.com/cku-heise/euvd-api-doc
Update CVE sources 2025-09-29 16:08 2025-09-29 16:08:36 +00:00			`### [CVE-2024-56555](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-56555)`
			`![](https://img.shields.io/static/v1?label=Product&message=Linux&color=blue)`
			`![](https://img.shields.io/static/v1?label=Version&message=d579b04a52a183db47dfcb7a44304d7747d551e1%3C%206b1be1da1f8279cf091266e71b5153c5b02aaff6%20&color=brighgreen)`
			`![](https://img.shields.io/static/v1?label=Vulnerability&message=n%2Fa&color=brighgreen)`

			`### Description`

			In the Linux kernel, the following vulnerability has been resolved:binder: fix OOB in binder_add_freeze_work()In binder_add_freeze_work() we iterate over the proc->nodes with theproc->inner_lock held. However, this lock is temporarily dropped toacquire the node->lock first (lock nesting order). This can race withbinder_deferred_release() which removes the nodes from the proc->nodesrbtree and adds them into binder_dead_nodes list. This leads to a brokeniteration in binder_add_freeze_work() as rb_next() will use data frombinder_dead_nodes, triggering an out-of-bounds access: ================================================================== BUG: KASAN: global-out-of-bounds in rb_next+0xfc/0x124 Read of size 8 at addr ffffcb84285f7170 by task freeze/660 CPU: 8 UID: 0 PID: 660 Comm: freeze Not tainted 6.11.0-07343-ga727812a8d45 #18 Hardware name: linux,dummy-virt (DT) Call trace: rb_next+0xfc/0x124 binder_add_freeze_work+0x344/0x534 binder_ioctl+0x1e70/0x25ac __arm64_sys_ioctl+0x124/0x190 The buggy address belongs to the variable: binder_dead_nodes+0x10/0x40 [...] ==================================================================This is possible because proc->nodes (rbtree) and binder_dead_nodes(list) share entries in binder_node through a union: struct binder_node { [...] union { struct rb_node rb_node; struct hlist_node dead_node; };Fix the race by checking that the proc is still alive. If not, simplybreak out of the iteration.

			`### POC`

			`#### Reference`
			`No PoCs from references.`

			`#### Github`
			`- https://github.com/cku-heise/euvd-api-doc`