ACK: [SRU][N/M/J/F][PATCH 0/1] CVE-2024-26926
Thibault Ferrante
thibault.ferrante at canonical.com
Thu May 23 10:06:37 UTC 2024
On 22-05-2024 20:31, Bethany Jamison wrote:
> [Impact]
>
> In the Linux kernel, the following vulnerability has been resolved:
>
> binder: check offset alignment in binder_get_object()
>
> Commit 6d98eb95b450 ("binder: avoid potential data leakage when copying
> txn") introduced changes to how binder objects are copied. In doing so,
> it unintentionally removed an offset alignment check done through calls
> to binder_alloc_copy_from_buffer() -> check_buffer().
>
> These calls were replaced in binder_get_object() with copy_from_user(),
> so now an explicit offset alignment check is needed here. This avoids
> later complications when unwinding the objects gets harder.
>
> It is worth noting this check existed prior to commit 7a67a39320df
> ("binder: add function to copy binder object from buffer"), likely
> removed due to redundancy at the time.
>
> [Fix]
>
> Noble: Clean cherry-pick from linux-6.8.y
> Mantic: Noble patch applied cleanly.
> Jammy: Noble patch applied cleanly.
> Focal: Noble patch applied cleanly.
> Bionic: not-affected
> Xenial: not-affected
> Trusty: not-affected
>
> [Test Case]
>
> Compile and boot tested.
>
> [Where problems could occur]
>
> This fix affects those who use Android when utilizing the binder
> mechanism, an issue with this fix would be visible to the user via
> a decrease in system performance or a system crash.
>
> Carlos Llamas (1):
> binder: check offset alignment in binder_get_object()
>
> drivers/android/binder.c | 4 +++-
> 1 file changed, 3 insertions(+), 1 deletion(-)
>
Acked-by: Thibault Ferrante <thibault.ferrante at canonical.com>
--
Thibault
More information about the kernel-team
mailing list