In fixuppistate_owner of futex.c, there is a possible use after free due to a race condition. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
{ "vanir_signatures": [ { "digest": { "length": 2430.0, "function_hash": "166407265836328870184724393860972034776" }, "id": "ASB-A-171705902-052b0830", "source": "https://android.googlesource.com/kernel/common/+/6e7bfa046de8", "deprecated": false, "signature_version": "v1", "target": { "file": "kernel/futex.c", "function": "futex_lock_pi" }, "signature_type": "Function" }, { "digest": { "length": 1316.0, "function_hash": "52949640630578686807464447965616679412" }, "id": "ASB-A-171705902-254205f3", "source": "https://android.googlesource.com/kernel/common/+/6e7bfa046de8", "deprecated": false, "signature_version": "v1", "target": { "file": "kernel/futex.c", "function": "__fixup_pi_state_owner" }, "signature_type": "Function" }, { "digest": { "threshold": 0.9, "line_hashes": [ "277696547841446050299316128790771963006", "101107537533451650815640847995199601132", "115162581271208781200345521999499285431", "51012072082526540972081746163334664266", "94613011286892000345735233480715095720", "326327256823949410873761865611659517621", "122070659955104989871090937019300140704", "29647631531214415691908176804216470396", "299879371089825648946108712768808226346", "166447846515058582747736052166524432350", "88864922940187067070720626506787318460", "99746421116309374202488546135233948575", "96898120306017363035329849461750391371", "233289239217512225928947734992927182810", "28378800602613682390239154766405949555", "135990521712881915955526603221964007810", "203991696525893997486293058786271428298", "134382814200124380347082578662335001414", "308636226336762709767367156429249915955", "142462741155204829755875419802479934399", "257677037739395275968206792037470352289", "238822028467281596831198266313399068469", "266274011474161998918008606046402729078", "120847358317147734599455306436992199178", "329609493481011690307245500347116459679", "111190485340161273643099597353625405826", "311484847247301039108694392994162210355", "130783198392241764045979051211405014248", "1130404072891426559364165520840721390", "45355317341531064560246639371770036050", "321770519846562267143885334111396026602", "332983991903622282988937649834858381754", "134874418169471777179920312984975122439", "292929451001655840653579458354093945884", "124541674301364978156433733600978926598", "122700454077057425567353402363786104533", "74213820949545289180836633152480974650", "28378800602613682390239154766405949555", "239268973693329351446794496650353135289", "88160930331730810177696987226318702245", "207391404736208931911666446656132271797", "178590677269267434442517898925464848043", "308636226336762709767367156429249915955", "141135455816156552100675934666676342740", "90939628655534807682378130789175944108", "189457668831571386176933099312645953475" ] }, "id": "ASB-A-171705902-2c1fe69d", "source": "https://android.googlesource.com/kernel/common/+/6e7bfa046de8", "deprecated": false, "signature_version": "v1", "target": { "file": "kernel/futex.c" }, "signature_type": "Line" }, { "digest": { "length": 2243.0, "function_hash": "258296963401256066978420454997771824010" }, "id": "ASB-A-171705902-d819d704", "source": "https://android.googlesource.com/kernel/common/+/6e7bfa046de8", "deprecated": false, "signature_version": "v1", "target": { "file": "kernel/futex.c", "function": "futex_wait_requeue_pi" }, "signature_type": "Function" } ], "fixes": [ "https://android.googlesource.com/kernel/common/+/6e7bfa046de8" ], "spl": "2021-08-05", "severity": "High", "types": [ "EoP" ] }