In futexsetuptimer and related functions of futex.c, there is a possible way to corrupt kernel memory due to a use after free. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
{ "vanir_signatures": [ { "digest": { "length": 365.0, "function_hash": "282028673913705372080548951146152483629" }, "id": "ASB-A-175193031-060c2605", "source": "https://android.googlesource.com/kernel/common/+/8019ad13ef7f64be44d4f892af9c840179009254", "deprecated": false, "signature_version": "v1", "target": { "file": "kernel/futex.c", "function": "get_futex_key_refs" }, "signature_type": "Function" }, { "digest": { "threshold": 0.9, "line_hashes": [ "225841678817929804105344848207817203727", "241936174136776133829250901711474255239", "83691230565593305391621373308776520282", "317408987809827657721927393510666747361" ] }, "id": "ASB-A-175193031-0b1e0cfa", "source": "https://android.googlesource.com/kernel/common/+/8019ad13ef7f64be44d4f892af9c840179009254", "deprecated": false, "signature_version": "v1", "target": { "file": "include/linux/fs.h" }, "signature_type": "Line" }, { "digest": { "length": 358.0, "function_hash": "256967322258109938079540545875429673376" }, "id": "ASB-A-175193031-3b71fe5f", "source": "https://android.googlesource.com/kernel/common/+/8019ad13ef7f64be44d4f892af9c840179009254", "deprecated": false, "signature_version": "v1", "target": { "file": "kernel/futex.c", "function": "drop_futex_key_refs" }, "signature_type": "Function" }, { "digest": { "threshold": 0.9, "line_hashes": [ "230744971195401288130627191547954842823", "211127357769710341211336505123840086203", "223896465548815511929732416192874484212", "195211789378707427530363712531941152443", "27213064731481272809241883819707334080", "202404361305839365860301863658895764391", "83822538963803172961150238880216516888", "135422197697941568751249559187827700582", "101870871030793852761589874639816271120", "123884775452490913074377838750592379955", "146732311113055482652018525674129277052", "114952950682114127151436562538516442992", "251856903832989451948821676129667668721", "9640809441899830722058250453081542185", "306014243791964214160361273551987327733", "114643466419988552477100819623107863030", "189133146165400672977871200733128576001", "319648815059471282394804370335203257405", "23947681010449533293521396795715034199", "172029134429723997899540937363532015349", "267576497048180801712971195444989451561", "192751111435224228590908869342281583875", "281794845464170717671969943442942908295", "317774558663308463005369364169594256402", "284910707618624202955147741024928021517", "137152916533273283007371937256895584705", "14440142934350694891750584554079577740", "284824107555072767724379551301905605227", "53089509811906778133369099335059308795", "212586052990105367349220776620889644803", "325653622803805233355656729939045730833", "314382843384342374749507079552120999213", "260923458147121407760795272648310252665", "60069556135846207280891853717944915510" ] }, "id": "ASB-A-175193031-6fd116f8", "source": "https://android.googlesource.com/kernel/common/+/8019ad13ef7f64be44d4f892af9c840179009254", "deprecated": false, "signature_version": "v1", "target": { "file": "kernel/futex.c" }, "signature_type": "Line" }, { "digest": { "threshold": 0.9, "line_hashes": [ "111452198812326913730550942143857210815", "87766513542484278407272696616802886018", "15484196665771149059508317911677159500", "90228417295428278250578187220276270997", "147712307941903208843395870608426226108", "212706926981469402678408146791062140167", "276926196982029909468235867557785073289", "224688884671022097837423789854950299692", "220310317394217939780448604728947110652", "105245571931909190354756280054953557774", "131019882807181507805285072110519253213", "265681283274407437668067939032827246681", "250196792535479318812781168825484490889", "112855155136791911856029834773871273206", "287995816502077079244322662322416315840", "43819587969497763002331070427534702921", "3837322148247977244258777468079800650", "32874732896297290009978364591559677067", "150853477666196706619459834561079105242" ] }, "id": "ASB-A-175193031-7a153f5d", "source": "https://android.googlesource.com/kernel/common/+/8019ad13ef7f64be44d4f892af9c840179009254", "deprecated": false, "signature_version": "v1", "target": { "file": "include/linux/futex.h" }, "signature_type": "Line" }, { "digest": { "length": 1949.0, "function_hash": "224703122958689725050710268330769074607" }, "id": "ASB-A-175193031-8353b085", "source": "https://android.googlesource.com/kernel/common/+/8019ad13ef7f64be44d4f892af9c840179009254", "deprecated": false, "signature_version": "v1", "target": { "file": "kernel/futex.c", "function": "get_futex_key" }, "signature_type": "Function" }, { "digest": { "length": 1992.0, "function_hash": "217181746816137931412715083531560112179" }, "id": "ASB-A-175193031-f31063e4", "source": "https://android.googlesource.com/kernel/common/+/8019ad13ef7f64be44d4f892af9c840179009254", "deprecated": false, "signature_version": "v1", "target": { "file": "fs/inode.c", "function": "inode_init_always" }, "signature_type": "Function" }, { "digest": { "threshold": 0.9, "line_hashes": [ "260187947260637658878704936142273918549", "322288179877911543514123641936100429501", "339597281592852085992351917251310976998", "76123908760051706359067459854941600762" ] }, "id": "ASB-A-175193031-f6e75b95", "source": "https://android.googlesource.com/kernel/common/+/8019ad13ef7f64be44d4f892af9c840179009254", "deprecated": false, "signature_version": "v1", "target": { "file": "fs/inode.c" }, "signature_type": "Line" } ], "fixes": [ "https://android.googlesource.com/kernel/common/+/8019ad13ef7f64be44d4f892af9c840179009254" ], "spl": "2021-08-05", "severity": "High", "types": [ "EoP" ] }