ASB-A-185125206
See a problem?- Import Source
- https://storage.googleapis.com/android-osv/ASB-A-185125206.json
- JSON Data
- https://api.osv.dev/v1/vulns/ASB-A-185125206
- Aliases
-
- A-185125206
- CVE-2021-39698
- Published
- 2022-03-01T00:00:00Z
- Modified
- 2024-08-07T19:30:09.255986Z
- Summary
- Kernel exploit: aio poll + binder heap UAF
- Details
-
In aiopollcomplete_work of aio.c, there is a possible memory corruption due to a use after free. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
- References
-
- https://source.android.com/security/bulletin/2022-03-01
- https://android.googlesource.com/kernel/common/+/42288cb44c4b
- https://android.googlesource.com/kernel/common/+/a880b28a71e3
- https://android.googlesource.com/kernel/common/+/9537bae0da1f
- https://android.googlesource.com/kernel/common/+/363bee27e258
- https://android.googlesource.com/kernel/common/+/50252e4b5e98
Affected packages
Android / :linux_kernel:
Package
- Name
- :linux_kernel:
Ecosystem specific
{
"vanir_signatures": [
{
"digest": {
"length": 398.0,
"function_hash": "48664362563097039085937984030622063159"
},
"id": "ASB-A-185125206-0ac9e315",
"source": "https://android.googlesource.com/kernel/common/+/363bee27e258",
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "fs/aio.c",
"function": "aio_poll_cancel"
},
"signature_type": "Function"
},
{
"digest": {
"length": 379.0,
"function_hash": "308048047356879514759023181521934442748"
},
"id": "ASB-A-185125206-226c86e8",
"source": "https://android.googlesource.com/kernel/common/+/50252e4b5e98",
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "fs/aio.c",
"function": "aio_poll_cancel"
},
"signature_type": "Function"
},
{
"digest": {
"length": 1523.0,
"function_hash": "286068233086057103825368097150131609215"
},
"id": "ASB-A-185125206-37702b94",
"source": "https://android.googlesource.com/kernel/common/+/a880b28a71e3",
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "drivers/android/binder.c",
"function": "binder_thread_release"
},
"signature_type": "Function"
},
{
"digest": {
"length": 1555.0,
"function_hash": "126875804775231147870201195932557025459"
},
"id": "ASB-A-185125206-40183ca8",
"source": "https://android.googlesource.com/kernel/common/+/50252e4b5e98",
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "fs/aio.c",
"function": "aio_poll"
},
"signature_type": "Function"
},
{
"digest": {
"threshold": 0.9,
"line_hashes": [
"103916783104200225590315384564690618197",
"236509916116266473763258182693507802742",
"259396545084157868375856052904919317990",
"216563909856872903011323845599559178225",
"12935958415669728427273859226269780261",
"232477855709712011546985403374999130140",
"38831775736977076894545359179532822341",
"118658252037286368458906578258874855382",
"176982169692379114039839514080990250346",
"104553538000156914569600823498682441290",
"137044513656280945817186712229539923878",
"328321547004239131670705461366780532499",
"31369718469835440617969541934242286972",
"66926286447589769034882470391588583933",
"191489564456247227330801345239873711327",
"305016742332351135084166958525980282687",
"6027948235401509478656525517962745394",
"309246750004774701880627881223762794808",
"22198911719718862665757955789024710739",
"207075542232579074507606523505635544047",
"318589412445344306456427818642976683913",
"172885276292568756527448415567050244155",
"248282781846124124892998591196225050092",
"186463304814804592875391125259939550989",
"78046434226596595915097605772261604387",
"106831605062502963455075920510680873813",
"177174941729083835361223288250332912916",
"36845927603836903077346897458382264477",
"166358367031841690424108727429141437387",
"242874020948122927559290614323949753523",
"182332632632781213139028756428184079032",
"248116527722943252283752275548762343320",
"187302069444600835605479567796184876440",
"63193489760933081091667835079556342197",
"70903549810169373337370957317399072732",
"287054059610941266093125878961262692970",
"129845873133191568953762808756726623819",
"192949726594344925260897905966374748305",
"29759759588795143611068574008286110262",
"333555313393238712091570840098623705154",
"275158411482825645527843211917488113315",
"167720075858659256732881804339397333372",
"205902425903415360724186242451849063514",
"247169333687966575483923179990995444077",
"97408840952290038204860707048139270898",
"237938949970308812725196224369502533363",
"208127112071029664890800528600570334250",
"85020270651346562667816460986010768909",
"300571512654863522182820932214511807067",
"327637700692032099504245926383636385065",
"205325363407784228426987383916305428743",
"326705624405673617491715203248881513224",
"155560678888687617551492776598446624547",
"282618360266967336500669088203821671184",
"122828978841391632589289460797260255265",
"205348243970558946997998732074545329166",
"6825112074509061086019510677574037767",
"66248155285419425029817881918285021593",
"123991380326168615317409051066714529063",
"298239060112381811784664984001488945901",
"258421734988650581639697698232703657837",
"10039025578362999877079107379489462536",
"25090630230439398750840307312943732718",
"304119339385757645694887278820199768718",
"332541348538714314374599821534571427172",
"146380466341891811037367824173449252633"
]
},
"id": "ASB-A-185125206-4e199bbc",
"source": "https://android.googlesource.com/kernel/common/+/50252e4b5e98",
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "fs/aio.c"
},
"signature_type": "Line"
},
{
"digest": {
"threshold": 0.9,
"line_hashes": [
"248044228784431710153433944130072156452",
"128223112585543820893114641938467064627",
"153749886573398998820843494508881553561",
"22690399545950407354229332458077302347",
"306699035265393185700572334728025254122",
"229424086816602809388033835002640591616",
"180390852260809398112002006953101936720"
]
},
"id": "ASB-A-185125206-80031aaf",
"source": "https://android.googlesource.com/kernel/common/+/42288cb44c4b",
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "include/linux/wait.h"
},
"signature_type": "Line"
},
{
"digest": {
"length": 349.0,
"function_hash": "33875190150141856899195094898248023279"
},
"id": "ASB-A-185125206-91297e96",
"source": "https://android.googlesource.com/kernel/common/+/50252e4b5e98",
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "fs/aio.c",
"function": "aio_poll_queue_proc"
},
"signature_type": "Function"
},
{
"digest": {
"length": 1475.0,
"function_hash": "49635016545928884911889530557603545332"
},
"id": "ASB-A-185125206-92d59e33",
"source": "https://android.googlesource.com/kernel/common/+/363bee27e258",
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "fs/aio.c",
"function": "aio_poll"
},
"signature_type": "Function"
},
{
"digest": {
"length": 842.0,
"function_hash": "326172184915394308963536867978640660186"
},
"id": "ASB-A-185125206-b28deb9b",
"source": "https://android.googlesource.com/kernel/common/+/363bee27e258",
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "fs/aio.c",
"function": "aio_poll_wake"
},
"signature_type": "Function"
},
{
"digest": {
"length": 955.0,
"function_hash": "245784321786892804612135879357266730768"
},
"id": "ASB-A-185125206-c5fd2ecd",
"source": "https://android.googlesource.com/kernel/common/+/50252e4b5e98",
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "fs/aio.c",
"function": "aio_poll_wake"
},
"signature_type": "Function"
},
{
"digest": {
"length": 165.0,
"function_hash": "67572656327009579849403738774370743895"
},
"id": "ASB-A-185125206-c9d43168",
"source": "https://android.googlesource.com/kernel/common/+/9537bae0da1f",
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "fs/signalfd.c",
"function": "signalfd_cleanup"
},
"signature_type": "Function"
},
{
"digest": {
"threshold": 0.9,
"line_hashes": [
"6941564317409617241089301594041543066",
"103351782056066674868874000229765707665",
"242638744609477601361387452345239079513",
"104002201304374990143959956298713995237",
"155709114170001778938443745411622160518",
"165275952724234069055488766353876295993",
"223533195947044949568486434514866187418",
"170344438694221706773366560627056654553",
"58806335242093387451323277556818170556",
"149717994431064302113126109537802459996",
"89175490121041634805927368757403148807",
"121233759456881794857575498078045582016",
"327676449199616417191783098260484449701",
"160955319403040054488940436535284034912",
"307939597315885307025429890389099870214",
"84110454996824458324427339789187308044",
"118654329723819124096270005656372436219",
"324689238848297063015777098420792354839",
"315703366456570174492565925613244232873",
"88782392931738685003734547417375780446",
"141244285935212872411284830141365674146",
"106596573705925942568344023002016642305",
"87229697125214511538518040477418418214",
"316003180211049317472872701371300402513",
"98899605980317458502504177050771392521",
"240577467432155699276082566261740799725",
"222669914081868428049310264739663645406",
"260429928717406674064072784393885412128",
"334551937006511525366394197467391651410",
"65375094132789678229925744913460230445",
"178528379366289195136358992747951081432",
"134634952871901940891344612520726121192",
"3805669452103208131664862255485467362",
"262686834902082563054083695832896511832",
"292485236483489988838386760843029912520",
"329574738545635001704130590541270729693",
"149047243794022697069560203129028530432",
"189669329956648214027911091645368706385",
"268310562268409619667739698695719014325",
"304442530069388223404256162984765164392",
"287584298307609544445039229949011506056",
"274581115645612159067920208853686515215",
"78955842661876826320250552059472020392",
"259997418578704740287824252486730568360",
"266265402738631992599040286379184175345",
"275003481178102214273037433308523926723",
"172492287899119440591989763466426208927",
"159393208319222824141300797434108679477",
"291337195123320697156730133317074768933",
"336601227695372073629019615297439158270",
"170287421870503459413919181986206239668",
"97244153192675645733027910494675197539",
"244306224199654148106752181544230754183",
"166712329193458721216569090958515601800",
"135026332397967437351268850093575256590"
]
},
"id": "ASB-A-185125206-ce0ef043",
"source": "https://android.googlesource.com/kernel/common/+/363bee27e258",
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "fs/aio.c"
},
"signature_type": "Line"
},
{
"digest": {
"length": 698.0,
"function_hash": "174556425550256220239215856749256710223"
},
"id": "ASB-A-185125206-dacd920b",
"source": "https://android.googlesource.com/kernel/common/+/363bee27e258",
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "fs/aio.c",
"function": "aio_poll_complete_work"
},
"signature_type": "Function"
},
{
"digest": {
"threshold": 0.9,
"line_hashes": [
"107998276079783001560844285598274983478",
"303679336613066718090978924244022024947",
"77240607771191724348802695810025159465",
"95425074598750498860095129409189991462",
"327767320933458985763007091995827377743",
"50620416591739968315417010815095164813",
"264697154270533208543446285898729027903"
]
},
"id": "ASB-A-185125206-e8972c8a",
"source": "https://android.googlesource.com/kernel/common/+/9537bae0da1f",
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "fs/signalfd.c"
},
"signature_type": "Line"
},
{
"digest": {
"threshold": 0.9,
"line_hashes": [
"104435129767682935149922247510491348651",
"79313610870683105727185858739577697767",
"115497647094408139906756067202732125743",
"68506375173070114133035649734088381462",
"154281057069382998527672662923195835784",
"116706163922744684489758722233403851718",
"309189070414507316548009017626054566040",
"291746325821478733969995376520338372989"
]
},
"id": "ASB-A-185125206-ea1b8eb2",
"source": "https://android.googlesource.com/kernel/common/+/a880b28a71e3",
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "drivers/android/binder.c"
},
"signature_type": "Line"
},
{
"digest": {
"length": 924.0,
"function_hash": "214299788738922068342006788671229554664"
},
"id": "ASB-A-185125206-eca44afc",
"source": "https://android.googlesource.com/kernel/common/+/50252e4b5e98",
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "fs/aio.c",
"function": "aio_poll_complete_work"
},
"signature_type": "Function"
},
{
"digest": {
"threshold": 0.9,
"line_hashes": [
"99222207583294815325669404191353885718",
"221371168808624593900345926208085843315",
"268767183069683726538618246351402780418"
]
},
"id": "ASB-A-185125206-f56e7593",
"source": "https://android.googlesource.com/kernel/common/+/42288cb44c4b",
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "kernel/sched/wait.c"
},
"signature_type": "Line"
}
],
"fixes": [
"https://android.googlesource.com/kernel/common/+/42288cb44c4b",
"https://android.googlesource.com/kernel/common/+/a880b28a71e3",
"https://android.googlesource.com/kernel/common/+/9537bae0da1f",
"https://android.googlesource.com/kernel/common/+/363bee27e258",
"https://android.googlesource.com/kernel/common/+/50252e4b5e98"
],
"spl": "2022-03-05",
"severity": "High",
"types": [
"EoP"
]
}