ASB-A-171705902

See a problem?

Import Source

https://storage.googleapis.com/android-osv/ASB-A-171705902.json

JSON Data

https://api.osv.dev/v1/vulns/ASB-A-171705902

Aliases

A-171705902
CVE-2021-3347

Published

2021-08-01T00:00:00Z

Modified

2024-08-07T19:29:03.999287Z

Summary

Kernel exploit: futex fixup_pi_state_owner() fault causes stack UAF

Details

In fixuppistate_owner of futex.c, there is a possible use after free due to a race condition. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

References

Affected packages

Android / :linux_kernel:

Package

Name: :linux_kernel:

Affected ranges

Type: ECOSYSTEM
Events: Introduced

:0

Fixed

:2021-08-05

Affected versions

Other

Kernel

Ecosystem specific

{
    "vanir_signatures": [
        {
            "digest": {
                "length": 2430.0,
                "function_hash": "166407265836328870184724393860972034776"
            },
            "id": "ASB-A-171705902-052b0830",
            "source": "https://android.googlesource.com/kernel/common/+/6e7bfa046de8",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "kernel/futex.c",
                "function": "futex_lock_pi"
            },
            "signature_type": "Function"
        },
        {
            "digest": {
                "length": 1316.0,
                "function_hash": "52949640630578686807464447965616679412"
            },
            "id": "ASB-A-171705902-254205f3",
            "source": "https://android.googlesource.com/kernel/common/+/6e7bfa046de8",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "kernel/futex.c",
                "function": "__fixup_pi_state_owner"
            },
            "signature_type": "Function"
        },
        {
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "277696547841446050299316128790771963006",
                    "101107537533451650815640847995199601132",
                    "115162581271208781200345521999499285431",
                    "51012072082526540972081746163334664266",
                    "94613011286892000345735233480715095720",
                    "326327256823949410873761865611659517621",
                    "122070659955104989871090937019300140704",
                    "29647631531214415691908176804216470396",
                    "299879371089825648946108712768808226346",
                    "166447846515058582747736052166524432350",
                    "88864922940187067070720626506787318460",
                    "99746421116309374202488546135233948575",
                    "96898120306017363035329849461750391371",
                    "233289239217512225928947734992927182810",
                    "28378800602613682390239154766405949555",
                    "135990521712881915955526603221964007810",
                    "203991696525893997486293058786271428298",
                    "134382814200124380347082578662335001414",
                    "308636226336762709767367156429249915955",
                    "142462741155204829755875419802479934399",
                    "257677037739395275968206792037470352289",
                    "238822028467281596831198266313399068469",
                    "266274011474161998918008606046402729078",
                    "120847358317147734599455306436992199178",
                    "329609493481011690307245500347116459679",
                    "111190485340161273643099597353625405826",
                    "311484847247301039108694392994162210355",
                    "130783198392241764045979051211405014248",
                    "1130404072891426559364165520840721390",
                    "45355317341531064560246639371770036050",
                    "321770519846562267143885334111396026602",
                    "332983991903622282988937649834858381754",
                    "134874418169471777179920312984975122439",
                    "292929451001655840653579458354093945884",
                    "124541674301364978156433733600978926598",
                    "122700454077057425567353402363786104533",
                    "74213820949545289180836633152480974650",
                    "28378800602613682390239154766405949555",
                    "239268973693329351446794496650353135289",
                    "88160930331730810177696987226318702245",
                    "207391404736208931911666446656132271797",
                    "178590677269267434442517898925464848043",
                    "308636226336762709767367156429249915955",
                    "141135455816156552100675934666676342740",
                    "90939628655534807682378130789175944108",
                    "189457668831571386176933099312645953475"
                ]
            },
            "id": "ASB-A-171705902-2c1fe69d",
            "source": "https://android.googlesource.com/kernel/common/+/6e7bfa046de8",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "kernel/futex.c"
            },
            "signature_type": "Line"
        },
        {
            "digest": {
                "length": 2243.0,
                "function_hash": "258296963401256066978420454997771824010"
            },
            "id": "ASB-A-171705902-d819d704",
            "source": "https://android.googlesource.com/kernel/common/+/6e7bfa046de8",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "kernel/futex.c",
                "function": "futex_wait_requeue_pi"
            },
            "signature_type": "Function"
        }
    ],
    "fixes": [
        "https://android.googlesource.com/kernel/common/+/6e7bfa046de8"
    ],
    "spl": "2021-08-05",
    "severity": "High",
    "types": [
        "EoP"
    ]
}