CVE-2021-46935
binder: fix async_free_space accounting for empty parcels
Severity Score
Exploit Likelihood
Affected Versions
6Public Exploits
0Exploited in Wild
-Decision
Descriptions
In the Linux kernel, the following vulnerability has been resolved: binder: fix async_free_space accounting for empty parcels In 4.13, commit 74310e06be4d ("android: binder: Move buffer out of area shared with user space")
fixed a kernel structure visibility issue. As part of that patch,
sizeof(void *) was used as the buffer size for 0-length data payloads so
the driver could detect abusive clients sending 0-length asynchronous
transactions to a server by enforcing limits on async_free_size. Unfortunately, on the "free" side, the accounting of async_free_space
did not add the sizeof(void *) back. The result was that up to 8-bytes of
async_free_space were leaked on every async transaction of 8-bytes or
less. These small transactions are uncommon, so this accounting issue
has gone undetected for several years. The fix is to use "buffer_size" (the allocated buffer size) instead of
"size" (the logical buffer size) when updating the async_free_space
during the free operation. These are the same except for this
corner case of asynchronous transactions with payloads < 8 bytes.
En el kernel de Linux, se resolvió la siguiente vulnerabilidad: binder: corrige la contabilidad async_free_space para paquetes vacíos En 4.13, el commit 74310e06be4d ("android: binder: mover el búfer fuera del área compartida con el espacio del usuario") solucionó un problema de visibilidad de la estructura del kernel. Como parte de ese parche, se usó sizeof(void *) como tamaño de búfer para cargas de datos de longitud 0, de modo que el controlador pudiera detectar clientes abusivos que enviaran transacciones asincrónicas de longitud 0 a un servidor imponiendo límites en async_free_size. Desafortunadamente, en el lado "libre", la contabilidad de async_free_space no volvió a agregar el tamaño de (void *). El resultado fue que se filtraron hasta 8 bytes de async_free_space en cada transacción asíncrona de 8 bytes o menos. Estas pequeñas transacciones son poco comunes, por lo que este problema contable ha pasado desapercibido durante varios años. La solución es utilizar "buffer_size" (el tamaño del búfer asignado) en lugar de "size" (el tamaño del búfer lógico) al actualizar async_free_space durante la operación libre. Son iguales excepto por este caso de esquina de transacciones asincrónicas con payloads <8 bytes.
In the Linux kernel, the following vulnerability has been resolved: binder: fix async_free_space accounting for empty parcels In 4.13, commit 74310e06be4d ("android: binder: Move buffer out of area shared with user space") fixed a kernel structure visibility issue. As part of that patch, sizeof(void *) was used as the buffer size for 0-length data payloads so the driver could detect abusive clients sending 0-length asynchronous transactions to a server by enforcing limits on async_free_size. Unfortunately, on the "free" side, the accounting of async_free_space did not add the sizeof(void *) back. The result was that up to 8-bytes of async_free_space were leaked on every async transaction of 8-bytes or less. These small transactions are uncommon, so this accounting issue has gone undetected for several years. The fix is to use "buffer_size" (the allocated buffer size) instead of "size" (the logical buffer size) when updating the async_free_space during the free operation. These are the same except for this corner case of asynchronous transactions with payloads < 8 bytes.
CVSS Scores
SSVC
- Decision:Track
Timeline
- 2024-02-25 CVE Reserved
- 2024-02-27 CVE Published
- 2024-12-19 CVE Updated
- 2025-03-30 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-668: Exposure of Resource to Wrong Sphere
CAPEC
References (7)
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|