ghsa-4hg9-w486-7gv5
Vulnerability from github
Published
2025-06-18 12:30
Modified
2025-06-18 12:30
Details

In the Linux kernel, the following vulnerability has been resolved:

binder: fix alloc->vma_vm_mm null-ptr dereference

Syzbot reported a couple issues introduced by commit 44e602b4e52f ("binder_alloc: add missing mmap_lock calls when using the VMA"), in which we attempt to acquire the mmap_lock when alloc->vma_vm_mm has not been initialized yet.

This can happen if a binder_proc receives a transaction without having previously called mmap() to setup the binder_proc->alloc space in [1]. Also, a similar issue occurs via binder_alloc_print_pages() when we try to dump the debugfs binder stats file in [2].

Sample of syzbot's crash report: ================================================================== KASAN: null-ptr-deref in range [0x0000000000000128-0x000000000000012f] CPU: 0 PID: 3755 Comm: syz-executor229 Not tainted 6.0.0-rc1-next-20220819-syzkaller #0 syz-executor229[3755] cmdline: ./syz-executor2294415195 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/22/2022 RIP: 0010:__lock_acquire+0xd83/0x56d0 kernel/locking/lockdep.c:4923 [...] Call Trace: lock_acquire kernel/locking/lockdep.c:5666 [inline] lock_acquire+0x1ab/0x570 kernel/locking/lockdep.c:5631 down_read+0x98/0x450 kernel/locking/rwsem.c:1499 mmap_read_lock include/linux/mmap_lock.h:117 [inline] binder_alloc_new_buf_locked drivers/android/binder_alloc.c:405 [inline] binder_alloc_new_buf+0xa5/0x19e0 drivers/android/binder_alloc.c:593 binder_transaction+0x242e/0x9a80 drivers/android/binder.c:3199 binder_thread_write+0x664/0x3220 drivers/android/binder.c:3986 binder_ioctl_write_read drivers/android/binder.c:5036 [inline] binder_ioctl+0x3470/0x6d00 drivers/android/binder.c:5323 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:870 [inline] __se_sys_ioctl fs/ioctl.c:856 [inline] __x64_sys_ioctl+0x193/0x200 fs/ioctl.c:856 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd [...] ==================================================================

Fix these issues by setting up alloc->vma_vm_mm pointer during open() and caching directly from current->mm. This guarantees we have a valid reference to take the mmap_lock during scenarios described above.

[1] https://syzkaller.appspot.com/bug?extid=f7dc54e5be28950ac459 [2] https://syzkaller.appspot.com/bug?extid=a75ebe0452711c9e56d9

Show details on source website

To clipboard 

{
  "affected": [],
  "aliases": [
    "CVE-2022-49947"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-06-18T11:15:21Z",
    "severity": null
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nbinder: fix alloc-\u003evma_vm_mm null-ptr dereference\n\nSyzbot reported a couple issues introduced by commit 44e602b4e52f\n(\"binder_alloc: add missing mmap_lock calls when using the VMA\"), in\nwhich we attempt to acquire the mmap_lock when alloc-\u003evma_vm_mm has not\nbeen initialized yet.\n\nThis can happen if a binder_proc receives a transaction without having\npreviously called mmap() to setup the binder_proc-\u003ealloc space in [1].\nAlso, a similar issue occurs via binder_alloc_print_pages() when we try\nto dump the debugfs binder stats file in [2].\n\nSample of syzbot\u0027s crash report:\n  ==================================================================\n  KASAN: null-ptr-deref in range [0x0000000000000128-0x000000000000012f]\n  CPU: 0 PID: 3755 Comm: syz-executor229 Not tainted 6.0.0-rc1-next-20220819-syzkaller #0\n  syz-executor229[3755] cmdline: ./syz-executor2294415195\n  Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/22/2022\n  RIP: 0010:__lock_acquire+0xd83/0x56d0 kernel/locking/lockdep.c:4923\n  [...]\n  Call Trace:\n   \u003cTASK\u003e\n   lock_acquire kernel/locking/lockdep.c:5666 [inline]\n   lock_acquire+0x1ab/0x570 kernel/locking/lockdep.c:5631\n   down_read+0x98/0x450 kernel/locking/rwsem.c:1499\n   mmap_read_lock include/linux/mmap_lock.h:117 [inline]\n   binder_alloc_new_buf_locked drivers/android/binder_alloc.c:405 [inline]\n   binder_alloc_new_buf+0xa5/0x19e0 drivers/android/binder_alloc.c:593\n   binder_transaction+0x242e/0x9a80 drivers/android/binder.c:3199\n   binder_thread_write+0x664/0x3220 drivers/android/binder.c:3986\n   binder_ioctl_write_read drivers/android/binder.c:5036 [inline]\n   binder_ioctl+0x3470/0x6d00 drivers/android/binder.c:5323\n   vfs_ioctl fs/ioctl.c:51 [inline]\n   __do_sys_ioctl fs/ioctl.c:870 [inline]\n   __se_sys_ioctl fs/ioctl.c:856 [inline]\n   __x64_sys_ioctl+0x193/0x200 fs/ioctl.c:856\n   do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n   do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80\n   entry_SYSCALL_64_after_hwframe+0x63/0xcd\n   [...]\n  ==================================================================\n\nFix these issues by setting up alloc-\u003evma_vm_mm pointer during open()\nand caching directly from current-\u003emm. This guarantees we have a valid\nreference to take the mmap_lock during scenarios described above.\n\n[1] https://syzkaller.appspot.com/bug?extid=f7dc54e5be28950ac459\n[2] https://syzkaller.appspot.com/bug?extid=a75ebe0452711c9e56d9",
  "id": "GHSA-4hg9-w486-7gv5",
  "modified": "2025-06-18T12:30:36Z",
  "published": "2025-06-18T12:30:36Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-49947"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/1da52815d5f1b654c89044db0cdc6adce43da1f1"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/81203ab7a6ef843a2b904a0a494f28c457d44d27"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/b2a97babb0a510f8921891f9e70c5a5ef33cadac"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.