In several functions of binder.c, there is a possible way to represent the wrong domain to SELinux due to a race condition. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
{ "vanir_signatures": [ { "digest": { "length": 555.0, "function_hash": "231407837190042573094156491589834243533" }, "id": "ASB-A-200688826-11481815", "source": "https://android.googlesource.com/kernel/common/+/d49297739550", "deprecated": false, "signature_version": "v1", "target": { "file": "drivers/android/binder.c", "function": "binder_free_proc" }, "signature_type": "Function" }, { "digest": { "threshold": 0.9, "line_hashes": [ "126683134176863470776868207136906914994", "38713954720882132583903179716217917347", "326893740105109937475759468122592924322", "176910736974583919846835855928308724919", "265314323873325083967345510800906385487", "240682525509061376096596629109040678512", "100223005864230666850221539740342201950", "19475149632549597688432411711795234224", "205178011758843003851090885871744212277", "111318331972585815938292775316587303518", "27801809098600170551150509610058461658", "142770307936741376932770861364582651881", "173441072849544000582352884120576204158", "277097587211441045543691150770193867443", "215597700148302091766435222561136143089", "164453647142885321008171126345005053377", "105675256379209094124693585282241930011", "97341013175794610867792420283140963326", "268457702880548025087106014816669219248", "340250336334142126175866459841228586054", "324025243790996693988771697812685073962", "274942730410906923493771723543464266629", "81420709793705465678489964396352122341", "268457702880548025087106014816669219248", "119884574446635250263676569147258115210", "323845550879701923636485821535960459223", "238112787265049397117793353658642573600", "207364602890292108503816485398790817653", "319163664486232603558015889334596442358" ] }, "id": "ASB-A-200688826-202e3619", "source": "https://android.googlesource.com/kernel/common/+/3af7a2f61023", "deprecated": false, "signature_version": "v1", "target": { "file": "include/linux/security.h" }, "signature_type": "Line" }, { "digest": { "threshold": 0.9, "line_hashes": [ "105656823417883503715911137841006902801", "332894221148265009623728853548189631123", "267932359235310397240227903404830068709", "88921030126102850122237358355427132319", "252483249709895504749933195698470932509", "14867552185965697716111542756816071771", "94578123680325147249013171681837192285", "195539343826828087033425429676324569363", "231951434973904744963395791611522003357", "234324142664819444171817808950148743001", "325487016174712765183301543079751918236", "86330567057262051968858215193338561342", "10406308359614255641143292291812852284", "245318693255130450329193901280301637959", "158524313061522962023020458782280771245", "244936256926537336968085364693560036082", "138771037490280290200804945147220330405", "139684673098713170975780252257393988710", "329312122471065943862601464726279321323", "211329276377476893153111018812506344861", "251933005008011460804460918138603157190", "185064926321514459261328551509859387450", "262099218877840394946915497296966971322", "55752847120026311214321880033677016305", "36098467878721687305074030629633732301", "335475855804350695822375460819936923990", "73463107392000075330653437567216590840", "276573047943312651880844638558538715775" ] }, "id": "ASB-A-200688826-26cd0a81", "source": "https://android.googlesource.com/kernel/common/+/d49297739550", "deprecated": false, "signature_version": "v1", "target": { "file": "drivers/android/binder.c" }, "signature_type": "Line" }, { "digest": { "length": 139.0, "function_hash": "65380354718387744503550318465511248520" }, "id": "ASB-A-200688826-2c2b4e64", "source": "https://android.googlesource.com/kernel/common/+/3af7a2f61023", "deprecated": false, "signature_version": "v1", "target": { "file": "security/security.c", "function": "security_binder_transfer_file" }, "signature_type": "Function" }, { "digest": { "threshold": 0.9, "line_hashes": [ "115479731058651618879635674085427059611", "72120252236892090336450142209295579130", "225779625634544484729459186312241608396", "40621910807807358661194720316662914600", "205011296305411288306961315682610200705", "158248690466332669564129579416137524947", "225779625634544484729459186312241608396", "40621910807807358661194720316662914600", "15640223675261419083899032276689741850", "69596134765492017962586662485546701164", "225980230840136316486052230238854125220", "273221016821390250554787874858438522450", "14027153297497793543007811270484422296", "198125727150250665410372585268834271335", "40168202033594379166677830584961784524", "180857587354089569214436508104579704003", "66304824172014453611408237956631714642", "318417166714628621822503273675729090955", "270685634687976528228545305212573412274", "294885512704247874900355559892433124187", "203321934675788844893427541923073504361" ] }, "id": "ASB-A-200688826-3f98e6ec", "source": "https://android.googlesource.com/kernel/common/+/3af7a2f61023", "deprecated": false, "signature_version": "v1", "target": { "file": "drivers/android/binder.c" }, "signature_type": "Line" }, { "digest": { "threshold": 0.9, "line_hashes": [ "325383347217087307434268333834049752529", "307735939237918491921518799474930705577", "265828607440514955408070850130527549444", "323992307684146705106304964038574925816" ] }, "id": "ASB-A-200688826-43d76f22", "source": "https://android.googlesource.com/kernel/common/+/a4eacf3227bd", "deprecated": false, "signature_version": "v1", "target": { "file": "drivers/android/binder.c" }, "signature_type": "Line" }, { "digest": { "threshold": 0.9, "line_hashes": [ "18179044106849088846855270647796054032", "71730960146828084310854430289046494285", "207107414340678828393377400823892753561", "293613484112685522537529427321942368706", "40893513029524938786806032659761112089", "239406745835948555721156400961422076474", "38798257102643414782027381581705193012", "239593933893688860784893650936686007604", "30454635709260189958671343075608643229", "164355070642847119160138535238979857747", "168955031598242100928987626095106504902", "84472222668193976025269966123023581094", "320865486886444889239756814764967315254", "180564672791274128234216660747135130191", "192598579777353139023398315890684550605", "199074591680433746384154904583903132529", "184308095363039105888070374692699170333", "270251776508142616124323372083129230397", "168036410668146965694132251330986206927", "266649824571816462609075430062356701149", "316233409035608813833836772327733242530", "94557117925477471146211273148946859917", "120129915903795129425975502979905223129", "12619622551066257608969231274202335256", "209516585675740738281618771300149545404", "77268229706952586748549723298106938581", "98575381110204222696170439394556499295", "285380294390076565002794058997580445378", "192153643477588373989308467294902147495", "147108566507228044965960596111429213090", "301939550545774062346284848601270393555", "288014247260680070566586518637501135783", "193586167227783697672097906766135579138", "178904719520538795918035587160378402688", "141888222529898317152170067303488982145", "44071077992038026358523321340144208154", "62510279387472005093802200162666095245", "78352868298390049763754312108783032652" ] }, "id": "ASB-A-200688826-499dbb92", "source": "https://android.googlesource.com/kernel/common/+/3af7a2f61023", "deprecated": false, "signature_version": "v1", "target": { "file": "security/selinux/hooks.c" }, "signature_type": "Line" }, { "digest": { "length": 204.0, "function_hash": "144219858464324755008783790360640440619" }, "id": "ASB-A-200688826-4ce2d4cf", "source": "https://android.googlesource.com/kernel/common/+/3af7a2f61023", "deprecated": false, "signature_version": "v1", "target": { "file": "security/selinux/hooks.c", "function": "selinux_binder_set_context_mgr" }, "signature_type": "Function" }, { "digest": { "length": 396.0, "function_hash": "275759781468628232113928053500850660921" }, "id": "ASB-A-200688826-56ff6053", "source": "https://android.googlesource.com/kernel/common/+/3af7a2f61023", "deprecated": false, "signature_version": "v1", "target": { "file": "security/selinux/hooks.c", "function": "selinux_binder_transaction" }, "signature_type": "Function" }, { "digest": { "length": 1106.0, "function_hash": "14533697915353012148119803724869010614" }, "id": "ASB-A-200688826-68828f5d", "source": "https://android.googlesource.com/kernel/common/+/3af7a2f61023", "deprecated": false, "signature_version": "v1", "target": { "file": "drivers/android/binder.c", "function": "binder_ioctl_set_ctx_mgr" }, "signature_type": "Function" }, { "digest": { "length": 1709.0, "function_hash": "265074062221304891916913369698226648735" }, "id": "ASB-A-200688826-857f3ccd", "source": "https://android.googlesource.com/kernel/common/+/3af7a2f61023", "deprecated": false, "signature_version": "v1", "target": { "file": "drivers/android/binder.c", "function": "binder_translate_handle" }, "signature_type": "Function" }, { "digest": { "threshold": 0.9, "line_hashes": [ "270894372891929137708113416126825917809", "292336947073988240969255104031349503524", "288849225800119384948072770420950962530", "264845512587866129356757207966579053432", "203671856128089170454920366150028440991", "157243101463160834399772499024083915209", "231070169673542246157074609168966926205" ] }, "id": "ASB-A-200688826-867919bd", "source": "https://android.googlesource.com/kernel/common/+/3af7a2f61023", "deprecated": false, "signature_version": "v1", "target": { "file": "include/linux/lsm_hook_defs.h" }, "signature_type": "Line" }, { "digest": { "length": 16781.0, "function_hash": "142731350329892688305715321941720870032" }, "id": "ASB-A-200688826-8a5e7c2c", "source": "https://android.googlesource.com/kernel/common/+/3af7a2f61023", "deprecated": false, "signature_version": "v1", "target": { "file": "drivers/android/binder.c", "function": "binder_transaction" }, "signature_type": "Function" }, { "digest": { "length": 219.0, "function_hash": "44945908081277697215052918151646845745" }, "id": "ASB-A-200688826-9240429d", "source": "https://android.googlesource.com/kernel/common/+/3af7a2f61023", "deprecated": false, "signature_version": "v1", "target": { "file": "security/selinux/hooks.c", "function": "selinux_binder_transfer_binder" }, "signature_type": "Function" }, { "digest": { "length": 93.0, "function_hash": "95105541587093829148411427664706937594" }, "id": "ASB-A-200688826-9ab9e976", "source": "https://android.googlesource.com/kernel/common/+/3af7a2f61023", "deprecated": false, "signature_version": "v1", "target": { "file": "security/security.c", "function": "security_binder_set_context_mgr" }, "signature_type": "Function" }, { "digest": { "length": 16799.0, "function_hash": "54234820591239460562704600920904070185" }, "id": "ASB-A-200688826-9c3255b0", "source": "https://android.googlesource.com/kernel/common/+/a4eacf3227bd", "deprecated": false, "signature_version": "v1", "target": { "file": "drivers/android/binder.c", "function": "binder_transaction" }, "signature_type": "Function" }, { "digest": { "length": 117.0, "function_hash": "158581916644402848848693402248860046509" }, "id": "ASB-A-200688826-9ebbecf9", "source": "https://android.googlesource.com/kernel/common/+/3af7a2f61023", "deprecated": false, "signature_version": "v1", "target": { "file": "security/security.c", "function": "security_binder_transfer_binder" }, "signature_type": "Function" }, { "digest": { "threshold": 0.9, "line_hashes": [ "123941007659038979827173616659108527901", "146005798303631116711067585617052905066", "307197341495924396493535256342544686685", "5829114062206061382307591821715992335" ] }, "id": "ASB-A-200688826-a1a21e00", "source": "https://android.googlesource.com/kernel/common/+/11db2de0af2a", "deprecated": false, "signature_version": "v1", "target": { "file": "drivers/android/binder.c" }, "signature_type": "Line" }, { "digest": { "length": 1177.0, "function_hash": "36600205378999285488058314823190884601" }, "id": "ASB-A-200688826-a7fddecf", "source": "https://android.googlesource.com/kernel/common/+/3af7a2f61023", "deprecated": false, "signature_version": "v1", "target": { "file": "drivers/android/binder.c", "function": "binder_translate_fd" }, "signature_type": "Function" }, { "digest": { "threshold": 0.9, "line_hashes": [ "23375747562566563857112845491542362359", "44393964508846939656371435613571986135", "68703338785981693882845493494700964977", "150434377807740252526128317684769148094", "233619380623688310956846033915399007720", "104766539655022086744985088648485179395", "236903956655660921899125707748150152415", "75667745691304065275392437315551213768", "120871262221703055822838860445459359556", "205073129273949571481870511178738439725", "212643725146793189449712077269332311911", "67028431121051968623211596376581675990", "248370723500031091888243380994349816017", "9917094445828572398049856451928856987", "247930277218549001949406740456389210975", "61074542653786060871431593927803224799", "297696395738555972448900130071738009325", "116708056164056894005122436041387570337", "52252935602424721753124088552714828855" ] }, "id": "ASB-A-200688826-b68c3d02", "source": "https://android.googlesource.com/kernel/common/+/3af7a2f61023", "deprecated": false, "signature_version": "v1", "target": { "file": "security/security.c" }, "signature_type": "Line" }, { "digest": { "length": 16780.0, "function_hash": "142694543363166549731969492745042247747" }, "id": "ASB-A-200688826-bdedafdb", "source": "https://android.googlesource.com/kernel/common/+/d49297739550", "deprecated": false, "signature_version": "v1", "target": { "file": "drivers/android/binder.c", "function": "binder_transaction" }, "signature_type": "Function" }, { "digest": { "length": 710.0, "function_hash": "77996106764272309794010699920419347728" }, "id": "ASB-A-200688826-c66589d3", "source": "https://android.googlesource.com/kernel/common/+/3af7a2f61023", "deprecated": false, "signature_version": "v1", "target": { "file": "security/selinux/hooks.c", "function": "selinux_binder_transfer_file" }, "signature_type": "Function" }, { "digest": { "length": 2262.0, "function_hash": "57742622803375176738804766632604004063" }, "id": "ASB-A-200688826-c736e444", "source": "https://android.googlesource.com/kernel/common/+/d49297739550", "deprecated": false, "signature_version": "v1", "target": { "file": "drivers/android/binder.c", "function": "binder_open" }, "signature_type": "Function" }, { "digest": { "threshold": 0.9, "line_hashes": [ "64150869290686575083186690153260310400", "136075930780036996911694635467234938593", "226743432505998202994331860352006131834" ] }, "id": "ASB-A-200688826-cd640dd3", "source": "https://android.googlesource.com/kernel/common/+/d49297739550", "deprecated": true, "signature_version": "v1", "target": { "file": "drivers/android/binder_internal.h" }, "signature_type": "Line" }, { "digest": { "length": 113.0, "function_hash": "332577417780383466937613046884585432468" }, "id": "ASB-A-200688826-d7657601", "source": "https://android.googlesource.com/kernel/common/+/3af7a2f61023", "deprecated": false, "signature_version": "v1", "target": { "file": "security/security.c", "function": "security_binder_transaction" }, "signature_type": "Function" }, { "digest": { "length": 1244.0, "function_hash": "85518337345665821497069842466247453010" }, "id": "ASB-A-200688826-e4011b0d", "source": "https://android.googlesource.com/kernel/common/+/3af7a2f61023", "deprecated": false, "signature_version": "v1", "target": { "file": "drivers/android/binder.c", "function": "binder_translate_binder" }, "signature_type": "Function" }, { "digest": { "length": 16793.0, "function_hash": "143490369972289889972572789804002152494" }, "id": "ASB-A-200688826-e8bd7979", "source": "https://android.googlesource.com/kernel/common/+/11db2de0af2a", "deprecated": false, "signature_version": "v1", "target": { "file": "drivers/android/binder.c", "function": "binder_transaction" }, "signature_type": "Function" }, { "digest": { "threshold": 0.9, "line_hashes": [ "236834185967059883143811159878505321443", "188335292228109839063458195614305346396", "224932441292397737776181014305404926509" ] }, "id": "ASB-A-200688826-e8f4242f", "source": "https://android.googlesource.com/kernel/common/+/11db2de0af2a", "deprecated": false, "signature_version": "v1", "target": { "file": "include/linux/security.h" }, "signature_type": "Line" } ], "fixes": [ "https://android.googlesource.com/kernel/common/+/d49297739550", "https://android.googlesource.com/kernel/common/+/3af7a2f61023", "https://android.googlesource.com/kernel/common/+/11db2de0af2a", "https://android.googlesource.com/kernel/common/+/a4eacf3227bd" ], "spl": "2022-03-05", "severity": "High", "types": [ "EoP" ] }