[Disco][SRU][CVE-2019-2214] Fix for Binder OOB write
Connor Kuehl
connor.kuehl at canonical.com
Tue Nov 26 22:42:30 UTC 2019
https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-2214.html
>From the link above:
"In binder_transaction of binder.c, there is a possible out of bounds write
due to a missing bounds check. This could lead to local escalation of
privilege with no additional execution privileges needed. User interaction
is not needed for exploitation.Product: AndroidVersions: Android
kernelAndroid ID: A-136210786References: Upstream kernel"
These backport notes are also included on the patch:
There is a much larger cleanup patch (that Disco does not have) that moves
away from using pointers and pointer arithmetic to using uintptr values,
that patch is bde4a19fc04f ("binder: use userspace pointer as base of
buffer space"). I used that patch to create a mapping of equivalent
variables:
sg_bufp => sg_buf_offset
sg_buf_end => sg_buf_end_offset
offp => buffer_offset
off_start => off_start_offset
off_end => off_end_offset
to construct an equivalent patch for this CVE without pulling in the
other larger patch to base this on.
No new compiler warnings for the android driver.
@@ -3239,7 +3239,8 @@ static void binder_transaction(struct binder_proc *proc,
buffer_offset = off_start_offset;
off_end_offset = off_start_offset + tr->offsets_size;
sg_buf_offset = ALIGN(off_end_offset, sizeof(void *));
- sg_buf_end_offset = sg_buf_offset + extra_buffers_size;
+ sg_buf_end_offset = sg_buf_offset + extra_buffers_size -
+ ALIGN(secctx_sz, sizeof(u64));
off_min = 0;
for (buffer_offset = off_start_offset; buffer_offset < off_end_offset;
buffer_offset += sizeof(binder_size_t)) {
More information about the kernel-team
mailing list