CVE-2021-46935: binder: fix async_free_space accounting for empty parcels - Greg Kroah-Hartman

From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-cve-announce@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Subject: CVE-2021-46935: binder: fix async_free_space accounting for empty parcels
Date: Tue, 27 Feb 2024 10:48:56 +0100	[thread overview]
Message-ID: <2024022751-CVE-2021-46935-f8f4@gregkh> (raw)

Description
===========

In the Linux kernel, the following vulnerability has been resolved:

binder: fix async_free_space accounting for empty parcels

In 4.13, commit 74310e06be4d ("android: binder: Move buffer out of area shared with user space")
fixed a kernel structure visibility issue. As part of that patch,
sizeof(void *) was used as the buffer size for 0-length data payloads so
the driver could detect abusive clients sending 0-length asynchronous
transactions to a server by enforcing limits on async_free_size.

Unfortunately, on the "free" side, the accounting of async_free_space
did not add the sizeof(void *) back. The result was that up to 8-bytes of
async_free_space were leaked on every async transaction of 8-bytes or
less.  These small transactions are uncommon, so this accounting issue
has gone undetected for several years.

The fix is to use "buffer_size" (the allocated buffer size) instead of
"size" (the logical buffer size) when updating the async_free_space
during the free operation. These are the same except for this
corner case of asynchronous transactions with payloads < 8 bytes.

The Linux kernel CVE team has assigned CVE-2021-46935 to this issue.

Affected and fixed versions
===========================

	Issue introduced in 4.14 with commit 74310e06be4d and fixed in 4.14.261 with commit 2d2df539d052
	Issue introduced in 4.14 with commit 74310e06be4d and fixed in 4.19.224 with commit 7c7064402609
	Issue introduced in 4.14 with commit 74310e06be4d and fixed in 5.4.170 with commit 103b16a8c51f
	Issue introduced in 4.14 with commit 74310e06be4d and fixed in 5.10.90 with commit 1cb8444f3114
	Issue introduced in 4.14 with commit 74310e06be4d and fixed in 5.15.13 with commit 17691bada6b2
	Issue introduced in 4.14 with commit 74310e06be4d and fixed in 5.16 with commit cfd0d84ba28c

Please see https://www.kernel.org or a full list of currently supported
kernel versions by the kernel community.

Unaffected versions might change over time as fixes are backported to
older supported kernel versions.  The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2021-46935
will be updated if fixes are backported, please check that for the most
up to date information about this issue.

Affected files
==============

The file(s) affected by this issue are:
	drivers/android/binder_alloc.c

Mitigation
==========

The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes.  Individual
changes are never tested alone, but rather are part of a larger kernel
release.  Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all.  If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
	https://git.kernel.org/stable/c/2d2df539d05205fd83c404d5f2dff48d36f9b495
	https://git.kernel.org/stable/c/7c7064402609aeb6fb11be1b4ec10673ff17b593
	https://git.kernel.org/stable/c/103b16a8c51f96d5fe063022869ea906c256e5da
	https://git.kernel.org/stable/c/1cb8444f3114f0bb2f6e3bcadcf09aa4a28425d4
	https://git.kernel.org/stable/c/17691bada6b2f1d5f1c0f6d28cd9d0727023b0ff
	https://git.kernel.org/stable/c/cfd0d84ba28c18b531648c9d4a35ecca89ad9901