{ "data_version": "4.0", "data_type": "CVE", "data_format": "MITRE", "CVE_data_meta": { "ID": "CVE-2024-56556", "ASSIGNER": "cve@kernel.org", "STATE": "PUBLIC" }, "description": { "description_data": [ { "lang": "eng", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbinder: fix node UAF in binder_add_freeze_work()\n\nIn binder_add_freeze_work() we iterate over the proc->nodes with the\nproc->inner_lock held. However, this lock is temporarily dropped in\norder to acquire the node->lock first (lock nesting order). This can\nrace with binder_node_release() and trigger a use-after-free:\n\n ==================================================================\n BUG: KASAN: slab-use-after-free in _raw_spin_lock+0xe4/0x19c\n Write of size 4 at addr ffff53c04c29dd04 by task freeze/640\n\n CPU: 5 UID: 0 PID: 640 Comm: freeze Not tainted 6.11.0-07343-ga727812a8d45 #17\n Hardware name: linux,dummy-virt (DT)\n Call trace:\n _raw_spin_lock+0xe4/0x19c\n binder_add_freeze_work+0x148/0x478\n binder_ioctl+0x1e70/0x25ac\n __arm64_sys_ioctl+0x124/0x190\n\n Allocated by task 637:\n __kmalloc_cache_noprof+0x12c/0x27c\n binder_new_node+0x50/0x700\n binder_transaction+0x35ac/0x6f74\n binder_thread_write+0xfb8/0x42a0\n binder_ioctl+0x18f0/0x25ac\n __arm64_sys_ioctl+0x124/0x190\n\n Freed by task 637:\n kfree+0xf0/0x330\n binder_thread_read+0x1e88/0x3a68\n binder_ioctl+0x16d8/0x25ac\n __arm64_sys_ioctl+0x124/0x190\n ==================================================================\n\nFix the race by taking a temporary reference on the node before\nreleasing the proc->inner lock. This ensures the node remains alive\nwhile in use." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "n/a" } ] } ] }, "affects": { "vendor": { "vendor_data": [ { "vendor_name": "Linux", "product": { "product_data": [ { "product_name": "Linux", "version": { "version_data": [ { "version_affected": "<", "version_name": "d579b04a52a183db47dfcb7a44304d7747d551e1", "version_value": "38fbefeb2c140b581ed7de8117a5c90d6dd89c22" }, { "version_value": "not down converted", "x_cve_json_5_version_data": { "versions": [ { "version": "6.12", "status": "affected" }, { "version": "0", "lessThan": "6.12", "status": "unaffected", "versionType": "semver" }, { "version": "6.12.4", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver" }, { "version": "6.13-rc1", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix" } ], "defaultStatus": "affected" } } ] } } ] } } ] } }, "references": { "reference_data": [ { "url": "https://git.kernel.org/stable/c/38fbefeb2c140b581ed7de8117a5c90d6dd89c22", "refsource": "MISC", "name": "https://git.kernel.org/stable/c/38fbefeb2c140b581ed7de8117a5c90d6dd89c22" }, { "url": "https://git.kernel.org/stable/c/dc8aea47b928cc153b591b3558829ce42f685074", "refsource": "MISC", "name": "https://git.kernel.org/stable/c/dc8aea47b928cc153b591b3558829ce42f685074" } ] }, "generator": { "engine": "bippy-5f407fcff5a0" } }