CVE-2021-46935

binder: fix async_free_space accounting for empty parcels

Severity Score

5.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track

*SSVC

Descriptions

In the Linux kernel, the following vulnerability has been resolved:

binder: fix async_free_space accounting for empty parcels

In 4.13, commit 74310e06be4d ("android: binder: Move buffer out of area shared with user space")
fixed a kernel structure visibility issue. As part of that patch,
sizeof(void *) was used as the buffer size for 0-length data payloads so
the driver could detect abusive clients sending 0-length asynchronous
transactions to a server by enforcing limits on async_free_size.

Unfortunately, on the "free" side, the accounting of async_free_space
did not add the sizeof(void *) back. The result was that up to 8-bytes of
async_free_space were leaked on every async transaction of 8-bytes or
less. These small transactions are uncommon, so this accounting issue
has gone undetected for several years.

The fix is to use "buffer_size" (the allocated buffer size) instead of
"size" (the logical buffer size) when updating the async_free_space
during the free operation. These are the same except for this
corner case of asynchronous transactions with payloads < 8 bytes.

En el kernel de Linux, se resolvió la siguiente vulnerabilidad: binder: corrige la contabilidad async_free_space para paquetes vacíos En 4.13, el commit 74310e06be4d ("android: binder: mover el búfer fuera del área compartida con el espacio del usuario") solucionó un problema de visibilidad de la estructura del kernel. Como parte de ese parche, se usó sizeof(void *) como tamaño de búfer para cargas de datos de longitud 0, de modo que el controlador pudiera detectar clientes abusivos que enviaran transacciones asincrónicas de longitud 0 a un servidor imponiendo límites en async_free_size. Desafortunadamente, en el lado "libre", la contabilidad de async_free_space no volvió a agregar el tamaño de (void *). El resultado fue que se filtraron hasta 8 bytes de async_free_space en cada transacción asíncrona de 8 bytes o menos. Estas pequeñas transacciones son poco comunes, por lo que este problema contable ha pasado desapercibido durante varios años. La solución es utilizar "buffer_size" (el tamaño del búfer asignado) en lugar de "size" (el tamaño del búfer lógico) al actualizar async_free_space durante la operación libre. Son iguales excepto por este caso de esquina de transacciones asincrónicas con payloads <8 bytes.

*Credits: N/A

CVSS Scores

NISTv3.1 5.5

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:Track

Exploitation

None

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2024-02-25 CVE Reserved
2024-02-27 CVE Published
2024-02-28 EPSS Updated
2024-11-04 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-668: Exposure of Resource to Wrong Sphere

CAPEC

References (7)

URL	Tag	Source
https://git.kernel.org/stable/c/74310e06be4d74dcf67cd108366710dee5c576d5	Vuln. Introduced

URL	Date	SRC

URL	Date	SRC
https://git.kernel.org/stable/c/2d2df539d05205fd83c404d5f2dff48d36f9b495	2022-01-05
https://git.kernel.org/stable/c/7c7064402609aeb6fb11be1b4ec10673ff17b593	2022-01-05
https://git.kernel.org/stable/c/103b16a8c51f96d5fe063022869ea906c256e5da	2022-01-05
https://git.kernel.org/stable/c/1cb8444f3114f0bb2f6e3bcadcf09aa4a28425d4	2022-01-05
https://git.kernel.org/stable/c/17691bada6b2f1d5f1c0f6d28cd9d0727023b0ff	2022-01-05
https://git.kernel.org/stable/c/cfd0d84ba28c18b531648c9d4a35ecca89ad9901	2021-12-21

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.14 < 4.14.261 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.14 < 4.14.261"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.14 < 4.19.224 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.14 < 4.19.224"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.14 < 5.4.170 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.14 < 5.4.170"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.14 < 5.10.90 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.14 < 5.10.90"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.14 < 5.15.13 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.14 < 5.15.13"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.14 < 5.16 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.14 < 5.16"		en		Affected