In several functions of tty_io.c and related files, there is a possible way to corrupt kernel memory due to a use after free. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
{ "vanir_signatures": [ { "digest": { "threshold": 0.9, "line_hashes": [ "180228680283374369989413483916025289913", "308095095407607036140062560232566252757", "124701444752169089570609347670136209690", "250993402050866239795564199876443996523", "98994193204391955053393349409132430588", "8443003566027127269106625924906014867", "273877747184941300959998598527992062084", "129620973704786672057741442708663792363", "168889036708998593075019533223311381796", "15042649993839020582269144173174097084", "80079680006326966291492259105597076901" ] }, "id": "ASB-A-175451844-03124b6d", "source": "https://android.googlesource.com/kernel/common/+/c8bcd9c5be24fb9e6132e97da5a35e55a83e36b9", "deprecated": false, "signature_version": "v1", "target": { "file": "drivers/tty/tty_io.c" }, "signature_type": "Line" }, { "digest": { "length": 1295.0, "function_hash": "46403272369286472446383904293111349540" }, "id": "ASB-A-175451844-0c344bf8", "source": "https://android.googlesource.com/kernel/common/+/c8bcd9c5be24fb9e6132e97da5a35e55a83e36b9", "deprecated": false, "signature_version": "v1", "target": { "file": "drivers/tty/tty_jobctrl.c", "function": "disassociate_ctty" }, "signature_type": "Function" }, { "digest": { "length": 628.0, "function_hash": "33292448399326925234316101472245772704" }, "id": "ASB-A-175451844-0c9e6c24", "source": "https://android.googlesource.com/kernel/common/+/c8bcd9c5be24fb9e6132e97da5a35e55a83e36b9", "deprecated": false, "signature_version": "v1", "target": { "file": "drivers/tty/tty_jobctrl.c", "function": "__proc_set_tty" }, "signature_type": "Function" }, { "digest": { "threshold": 0.9, "line_hashes": [ "172647275850244123068926011950751363919", "256013172192984139596932178943032631347", "105937977990904179039567374719643005194", "181456681277628433445730867829711976893", "215960641960715695878074827306571297364", "88568373431601013831164685396964796079", "224421072961504934542008399770113916813", "281768756558694835633614791555677621039", "42720794122607861497283950267809472515", "120394842235307112663645829479025812416", "47270671121601337324257131727742065646", "325608570018195816140129203439501034617", "45883112463596946632297263689445712785", "114810691279895185819851876826568612767", "112257623719119217987521011253491414482", "300648615351241321883704097818922568729", "94691952771512473906549803669087169234", "199769680556394980418754563158913758518", "335763448128501009314061075499685348692", "102425998200056111098618301803540172584", "296459709960035483359750305190811215941", "91847565752232093508738322644005111305", "140243395643430909671349865952183783961", "279229834851771365040298731087519495379", "184885002117734542012469610129714802845", "30230991828470014703941396959726214311", "259302701780771174669192810821421211123", "79655522187762922118322191270818657298", "121696461656370062132013529725484192130", "298178070601149766663705120145262128563", "233404181447883959285784600711479470561", "250253426506645472466638278808530325518", "178684367323773797223172307460827936114", "107960420887835893931775884290089031897", "322991136220046015984089790324125781887", "303174030707301652555076115195485908890", "87392038734971738532553322798949667760", "170396420592324612029374006974202916582", "340057293138642444658392102369641455601", "57569170850854654386666384984575603305", "94170689697896871542269597350692703374", "251159339448140494997133946955144825062", "78177858559818117342202973719307617608", "233598370501082444955162355122638476329", "148272808823891799036091646904029511201", "59934727570702112309813050204909442816", "265853501255866054394270602871306233241", "303510411391993781086937077848811706665", "219713477441612074933219153882823446885" ] }, "id": "ASB-A-175451844-624840c4", "source": "https://android.googlesource.com/kernel/common/+/c8bcd9c5be24fb9e6132e97da5a35e55a83e36b9", "deprecated": false, "signature_version": "v1", "target": { "file": "drivers/tty/tty_jobctrl.c" }, "signature_type": "Line" }, { "digest": { "length": 1184.0, "function_hash": "110152949807816591880024261468598283165" }, "id": "ASB-A-175451844-6642841d", "source": "https://android.googlesource.com/kernel/common/+/c8bcd9c5be24fb9e6132e97da5a35e55a83e36b9", "deprecated": false, "signature_version": "v1", "target": { "file": "drivers/tty/tty_io.c", "function": "__do_SAK" }, "signature_type": "Function" }, { "digest": { "length": 258.0, "function_hash": "74317975915546414177100903485982673494" }, "id": "ASB-A-175451844-89e40695", "source": "https://android.googlesource.com/kernel/common/+/c8bcd9c5be24fb9e6132e97da5a35e55a83e36b9", "deprecated": false, "signature_version": "v1", "target": { "file": "drivers/tty/tty_jobctrl.c", "function": "tiocgsid" }, "signature_type": "Function" }, { "digest": { "length": 778.0, "function_hash": "10819461503779731792939548977694799307" }, "id": "ASB-A-175451844-ba7aa7a2", "source": "https://android.googlesource.com/kernel/common/+/c8bcd9c5be24fb9e6132e97da5a35e55a83e36b9", "deprecated": false, "signature_version": "v1", "target": { "file": "drivers/tty/tty_jobctrl.c", "function": "tiocspgrp" }, "signature_type": "Function" } ], "fixes": [ "https://android.googlesource.com/kernel/common/+/c8bcd9c5be24fb9e6132e97da5a35e55a83e36b9" ], "spl": "2021-10-05", "severity": "High", "types": [ "EoP" ] }