APPLIED: [SRU][N/M/J/F][PATCH 0/1] CVE-2024-26926

[Roxana Nicolescu]

On 22/05/2024 20:31, Bethany Jamison wrote:
> [Impact]
>
>   In the Linux kernel, the following vulnerability has been resolved:
>
>   binder: check offset alignment in binder_get_object()
>
>   Commit 6d98eb95b450 ("binder: avoid potential data leakage when copying
>   txn") introduced changes to how binder objects are copied. In doing so,
>   it unintentionally removed an offset alignment check done through calls
>   to binder_alloc_copy_from_buffer() -> check_buffer().
>
>   These calls were replaced in binder_get_object() with copy_from_user(),
>   so now an explicit offset alignment check is needed here. This avoids
>   later complications when unwinding the objects gets harder.
>
>   It is worth noting this check existed prior to commit 7a67a39320df
>   ("binder: add function to copy binder object from buffer"), likely
>   removed due to redundancy at the time.
>
> [Fix]
>
> Noble:	Clean cherry-pick from linux-6.8.y
> Mantic:	Noble patch applied cleanly.
> Jammy:	Noble patch applied cleanly.
> Focal:	Noble patch applied cleanly.
> Bionic:	not-affected
> Xenial:	not-affected
> Trusty:	not-affected	
>
> [Test Case]
>
> Compile and boot tested.
>
> [Where problems could occur]
>
> This fix affects those who use Android when utilizing the binder
> mechanism, an issue with this fix would be visible to the user via
> a decrease in system performance or a system crash.
>
> Carlos Llamas (1):
>    binder: check offset alignment in binder_get_object()
>
>   drivers/android/binder.c | 4 +++-
>   1 file changed, 3 insertions(+), 1 deletion(-)
>
Applied to noble:linux, mantic:linux, jammy:linux, focal:linux 
master-next branches. Thanks!