ghsa-6q3v-9ww3-wjw7
Vulnerability from github
Published
2025-06-18 12:30
Modified
2025-06-18 12:30
Details

In the Linux kernel, the following vulnerability has been resolved:

binder: fix UAF of ref->proc caused by race condition

A transaction of type BINDER_TYPE_WEAK_HANDLE can fail to increment the reference for a node. In this case, the target proc normally releases the failed reference upon close as expected. However, if the target is dying in parallel the call will race with binder_deferred_release(), so the target could have released all of its references by now leaving the cleanup of the new failed reference unhandled.

The transaction then ends and the target proc gets released making the ref->proc now a dangling pointer. Later on, ref->node is closed and we attempt to take spin_lock(&ref->proc->inner_lock), which leads to the use-after-free bug reported below. Let's fix this by cleaning up the failed reference on the spot instead of relying on the target to do so.

================================================================== BUG: KASAN: use-after-free in _raw_spin_lock+0xa8/0x150 Write of size 4 at addr ffff5ca207094238 by task kworker/1:0/590

CPU: 1 PID: 590 Comm: kworker/1:0 Not tainted 5.19.0-rc8 #10 Hardware name: linux,dummy-virt (DT) Workqueue: events binder_deferred_func Call trace: dump_backtrace.part.0+0x1d0/0x1e0 show_stack+0x18/0x70 dump_stack_lvl+0x68/0x84 print_report+0x2e4/0x61c kasan_report+0xa4/0x110 kasan_check_range+0xfc/0x1a4 __kasan_check_write+0x3c/0x50 _raw_spin_lock+0xa8/0x150 binder_deferred_func+0x5e0/0x9b0 process_one_work+0x38c/0x5f0 worker_thread+0x9c/0x694 kthread+0x188/0x190 ret_from_fork+0x10/0x20

Show details on source website

To clipboard 

{
  "affected": [],
  "aliases": [
    "CVE-2022-49939"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-06-18T11:15:20Z",
    "severity": null
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nbinder: fix UAF of ref-\u003eproc caused by race condition\n\nA transaction of type BINDER_TYPE_WEAK_HANDLE can fail to increment the\nreference for a node. In this case, the target proc normally releases\nthe failed reference upon close as expected. However, if the target is\ndying in parallel the call will race with binder_deferred_release(), so\nthe target could have released all of its references by now leaving the\ncleanup of the new failed reference unhandled.\n\nThe transaction then ends and the target proc gets released making the\nref-\u003eproc now a dangling pointer. Later on, ref-\u003enode is closed and we\nattempt to take spin_lock(\u0026ref-\u003eproc-\u003einner_lock), which leads to the\nuse-after-free bug reported below. Let\u0027s fix this by cleaning up the\nfailed reference on the spot instead of relying on the target to do so.\n\n  ==================================================================\n  BUG: KASAN: use-after-free in _raw_spin_lock+0xa8/0x150\n  Write of size 4 at addr ffff5ca207094238 by task kworker/1:0/590\n\n  CPU: 1 PID: 590 Comm: kworker/1:0 Not tainted 5.19.0-rc8 #10\n  Hardware name: linux,dummy-virt (DT)\n  Workqueue: events binder_deferred_func\n  Call trace:\n   dump_backtrace.part.0+0x1d0/0x1e0\n   show_stack+0x18/0x70\n   dump_stack_lvl+0x68/0x84\n   print_report+0x2e4/0x61c\n   kasan_report+0xa4/0x110\n   kasan_check_range+0xfc/0x1a4\n   __kasan_check_write+0x3c/0x50\n   _raw_spin_lock+0xa8/0x150\n   binder_deferred_func+0x5e0/0x9b0\n   process_one_work+0x38c/0x5f0\n   worker_thread+0x9c/0x694\n   kthread+0x188/0x190\n   ret_from_fork+0x10/0x20",
  "id": "GHSA-6q3v-9ww3-wjw7",
  "modified": "2025-06-18T12:30:36Z",
  "published": "2025-06-18T12:30:35Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-49939"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/06e5b43ca4dab06a92bf4c2f33766e6fb11b880a"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/229f47603dd306bc0eb1a831439adb8e48bb0eae"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/30d0901b307f27d36b2655fb3048cf31ee0e89c0"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/603a47f2ae56bf68288784d3c0a8c5b8e0a827ed"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/9629f2dfdb1dad294b468038ff8e161e94d0b609"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/a0e44c64b6061dda7e00b7c458e4523e2331b739"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/c2a4b5dc8fa71af73bab704d0cac42ac39767ed6"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.