ACK: [SRU][N/M/J/F][PATCH 0/1] CVE-2024-26926

Manuel Diewald manuel.diewald at canonical.com
Thu May 23 11:52:36 UTC 2024 

On Wed, May 22, 2024 at 01:31:27PM -0500, Bethany Jamison wrote:
> [Impact]
> 
>  In the Linux kernel, the following vulnerability has been resolved:
> 
>  binder: check offset alignment in binder_get_object()
> 
>  Commit 6d98eb95b450 ("binder: avoid potential data leakage when copying
>  txn") introduced changes to how binder objects are copied. In doing so,
>  it unintentionally removed an offset alignment check done through calls
>  to binder_alloc_copy_from_buffer() -> check_buffer().
> 
>  These calls were replaced in binder_get_object() with copy_from_user(),
>  so now an explicit offset alignment check is needed here. This avoids
>  later complications when unwinding the objects gets harder.
> 
>  It is worth noting this check existed prior to commit 7a67a39320df
>  ("binder: add function to copy binder object from buffer"), likely
>  removed due to redundancy at the time.
> 
> [Fix]
> 
> Noble:	Clean cherry-pick from linux-6.8.y
> Mantic:	Noble patch applied cleanly.
> Jammy:	Noble patch applied cleanly.
> Focal:	Noble patch applied cleanly.
> Bionic:	not-affected
> Xenial:	not-affected
> Trusty:	not-affected	
> 
> [Test Case]
> 
> Compile and boot tested.
> 
> [Where problems could occur]
> 
> This fix affects those who use Android when utilizing the binder 
> mechanism, an issue with this fix would be visible to the user via
> a decrease in system performance or a system crash.
> 
> Carlos Llamas (1):
>   binder: check offset alignment in binder_get_object()
> 
>  drivers/android/binder.c | 4 +++-
>  1 file changed, 3 insertions(+), 1 deletion(-)
> 
> -- 
> 2.34.1
> 
> 
> -- 
> kernel-team mailing list
> kernel-team at lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/kernel-team

Acked-by: Manuel Diewald <manuel.diewald at canonical.com>

-- 
 Manuel
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20240523/289ca91b/attachment-0001.sig>

More information about the kernel-team mailing list