mirror of
https://github.com/0xMarcio/cve.git
synced 2025-11-28 18:48:49 +00:00
20 lines
2.0 KiB
Markdown
20 lines
2.0 KiB
Markdown
### [CVE-2024-56554](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-56554)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
### Description
|
|
|
|
In the Linux kernel, the following vulnerability has been resolved:binder: fix freeze UAF in binder_release_work()When a binder reference is cleaned up, any freeze work queued in theassociated process should also be removed. Otherwise, the reference isfreed while its ref->freeze.work is still queued in proc->work leadingto a use-after-free issue as shown by the following KASAN report: ================================================================== BUG: KASAN: slab-use-after-free in binder_release_work+0x398/0x3d0 Read of size 8 at addr ffff31600ee91488 by task kworker/5:1/211 CPU: 5 UID: 0 PID: 211 Comm: kworker/5:1 Not tainted 6.11.0-rc7-00382-gfc6c92196396 #22 Hardware name: linux,dummy-virt (DT) Workqueue: events binder_deferred_func Call trace: binder_release_work+0x398/0x3d0 binder_deferred_func+0xb60/0x109c process_one_work+0x51c/0xbd4 worker_thread+0x608/0xee8 Allocated by task 703: __kmalloc_cache_noprof+0x130/0x280 binder_thread_write+0xdb4/0x42a0 binder_ioctl+0x18f0/0x25ac __arm64_sys_ioctl+0x124/0x190 invoke_syscall+0x6c/0x254 Freed by task 211: kfree+0xc4/0x230 binder_deferred_func+0xae8/0x109c process_one_work+0x51c/0xbd4 worker_thread+0x608/0xee8 ==================================================================This commit fixes the issue by ensuring any queued freeze work is removedwhen cleaning up a binder reference.
|
|
|
|
### POC
|
|
|
|
#### Reference
|
|
No PoCs from references.
|
|
|
|
#### Github
|
|
- https://github.com/cku-heise/euvd-api-doc
|
|
|