发布时间: 2024年4月12日
修改时间: 2024年5月27日
In the Linux kernel, the following vulnerability has been resolved:binder: fix async_free_space accounting for empty parcelsIn 4.13, commit 74310e06be4d ( android: binder: Move buffer out of area shared with user space )fixed a kernel structure visibility issue. As part of that patch,sizeof(void *) was used as the buffer size for 0-length data payloads sothe driver could detect abusive clients sending 0-length asynchronoustransactions to a server by enforcing limits on async_free_size.Unfortunately, on the free side, the accounting of async_free_spacedid not add the sizeof(void *) back. The result was that up to 8-bytes ofasync_free_space were leaked on every async transaction of 8-bytes orless. These small transactions are uncommon, so this accounting issuehas gone undetected for several years.The fix is to use buffer_size (the allocated buffer size) instead of size (the logical buffer size) when updating the async_free_spaceduring the free operation. These are the same except for thiscorner case of asynchronous transactions with payloads < 8 bytes.
| NVD | openEuler | |
|---|---|---|
| CVSS评分 | 5.5 | 4.4 |
| Attack Vector | Local | Local |
| Attack Complexity | Low | Low |
| Privileges Required | Low | High |
| User Interaction | None | None |
| Scope | Unchanged | Unchanged |
| Confidentiality | High | High |
| Integrity | None | None |
| Availability | None | None |
| 公告名 | 概要 | 发布时间 |
|---|---|---|
| KylinSec-SA-2024-4772 | kernel security update | 2024年4月12日 |
| 产品 | 包 | 状态 |
|---|---|---|
| KY3.4-4A | kernel | Fixed |
| KY3.4-5A | kernel | Fixed |
| KY3.5.1 | kernel | Unaffected |
| KY3.5.2 | kernel | Unaffected |
